MEDIUM 5.3

CVE-2026-46843: Oracle REST Data Services DoS Vulnerability—Patch Guidance

Oracle REST Data Services versions 24.2.0 through 26.1.0 contain a vulnerability that allows an attacker without credentials to trigger a partial denial of service over the network via HTTPS. The vulnerability is in the Core component and requires no special user interaction. An attacker can exploit this remotely to degrade availability of the REST Data Services instance, though data confidentiality and integrity are not at risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-400
Affected products
1 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-46843 is an unimplemented resource management flaw (CWE-400) in Oracle REST Data Services Core. The vulnerability has a network attack vector, low complexity, and requires no authentication or user interaction. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) reflects its narrow impact scope: availability degradation only, with no confidentiality or integrity breach. Affected versions span from 24.2.0 to 26.1.0 inclusive.

Business impact

Organizations running Oracle REST Data Services in this version range face partial service disruption risk. REST Data Services often forms a critical bridge between databases and application architectures; availability loss can cascade to dependent applications and APIs. While the impact is partial rather than complete, even intermittent unavailability of API services can disrupt customer-facing functionality and internal processes. The ease of exploitation—requiring no authentication—means any attacker on the network can trigger degradation without valid credentials.

Affected systems

Oracle REST Data Services versions 24.2.0, 24.3.0, 24.4.0, 25.x, and 26.0.0–26.1.0 are impacted. Verify your deployment version immediately; versions outside this range are unaffected. REST Data Services deployed on-premises, in hybrid environments, or in Oracle Cloud are all in scope if running a vulnerable version.

Exploitability

Exploitation is straightforward: the vulnerability is easily exploitable per the CVE description, requires no authentication, no user interaction, and can be triggered remotely via HTTPS. An attacker needs only network-level access to the REST Data Services endpoint. This low barrier to entry makes proactive patching essential, as exploitation does not require sophistication or valid credentials.

Remediation

Apply vendor patches to move to a version later than 26.1.0. Contact Oracle for the specific patched version and download guidance. Implement network segmentation to restrict HTTPS access to REST Data Services endpoints to trusted sources only. Monitor for unusual connection patterns or resource exhaustion targeting these endpoints. Verify patch application and test in a non-production environment first to confirm compatibility with your application stack.

Patch guidance

Consult Oracle's security advisories and patch repositories for versions beyond 26.1.0 that address CVE-2026-46843. Apply patches in a staged approach: test in development or staging environments first, validate REST Data Services functionality and dependent application behavior, then roll out to production. Given the ease of exploitation, prioritize this within your patching schedule. Verify the patched version's compatibility with any custom REST endpoints or configurations in your environment.

Detection guidance

Monitor REST Data Services logs for unusual patterns: repeated connection attempts to service endpoints without valid requests, rapid connection cycling, or resource consumption spikes attributable to a single source. Network intrusion detection systems should flag traffic attempting to trigger resource exhaustion against REST Data Services HTTPS endpoints. Establish baseline performance metrics for REST Data Services availability and alert on significant deviations. Check running version identifiers in REST Data Services administrative panels or logs to confirm whether your deployment is within the affected range.

Why prioritize this

This vulnerability warrants prompt remediation despite its MEDIUM severity rating. The lack of authentication requirement, ease of exploitation, and network accessibility create a low friction attack surface. While impact is limited to partial availability (not data breach), the simplicity of triggering a denial of service makes this a recurring nuisance if left unpatched. Organizations should address this in the near term—particularly those with availability SLAs or customer-facing REST APIs dependent on these services.

Risk score, explained

The CVSS 3.1 score of 5.3 (MEDIUM) reflects the combination of high exploitability (network attack vector, low complexity, no authentication) and narrow impact scope (availability only; confidentiality and integrity unaffected). The score does not include threat actor activity or real-world exploit prevalence. Because this vulnerability has not been added to the CISA Known Exploited Vulnerabilities list, there is currently no public evidence of active exploitation, but the ease of exploitation warrants vigilance.

Frequently asked questions

Does this vulnerability leak sensitive data from my database?

No. The CVSS vector shows no confidentiality (C:N) or integrity (I:N) impact. This vulnerability causes partial unavailability only; it does not expose or modify data stored in or accessible through REST Data Services.

Can I work around this without patching immediately?

Mitigation can buy time: restrict network access to REST Data Services endpoints to trusted IP ranges via firewall or network ACLs, implement API gateway rate limiting to prevent resource exhaustion, and monitor for exploitation attempts. However, these are temporary measures; patching is the definitive fix.

What does 'partial denial of service' mean in this context?

The vulnerability triggers resource exhaustion that degrades REST Data Services availability without completely shutting it down. Some requests may succeed, others may fail or timeout. Full denial of service—where 100% of functionality is unavailable—is not the outcome.

Is this vulnerability being actively exploited in the wild?

As of the published date, this vulnerability does not appear on the CISA Known Exploited Vulnerabilities list, suggesting no confirmed active exploitation. However, the low barrier to exploitation means defensive measures should not be delayed based on this absence.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. SEC.co makes no warranty regarding the accuracy, completeness, or timeliness of this information. Readers should verify patch availability, version specifics, and compatibility with their deployments by consulting official Oracle documentation and advisories. Real-world exploitability and impact may vary based on network architecture, configuration, and deployment context. This information is not a substitute for professional security assessment or vendor guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).