Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
10.0
CVE-2026-46840: Oracle REST Data Services: Unauthenticated Takeover via HTTPS
CVE-2026-46840
Summary
Oracle REST Data Services versions 24.2.0 to 26.1.0 have a security flaw that allows an attacker to take control of the system without a password. This affects not only Oracle REST Data Services but potentially other connected products. To protect your system, update to a non-affected version as soon as possible.
Original title
Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attack...
Original description
Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
nvd CVSS3.1
10.0
Vulnerability type
CWE-284
Improper Access Control
CWE-287
Improper Authentication
CWE-306
Missing Authentication for Critical Function
Published: 28 May 2026 · Updated: 31 May 2026 · First seen: 28 May 2026