HarborGuard / CVE
Back to search
CRITICALCVE-2026-34311Published Modified CNA oracle

CVE-2026-34311: Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera)

Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6 and 5.6.28. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5 Property Services. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

HarborGuard Analysis

HarborGuard analysis

Synopsis

A critical unauthenticated remote takeover vulnerability affects Oracle Hospitality OPERA 5 Property Services (versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28). The flaw is reachable over HTTP with no credentials required and no user interaction needed. Successful exploitation gives an attacker full control of the OPERA 5 service, including complete read, write, and availability impact across the system. No fix versions have been published yet; HarborGuard is tracking this advisory and will flag a patched rebuild the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-34311 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that package OPERA 5 components. Any image in a connected registry or CI/CD pipeline running an affected version is flagged automatically.

Available
Triage

Triage is available using the CVSS 3.1 base score of 9.8 (Critical), with per-environment compliance policy weighting applied to route findings to the appropriate team inbox inside each customer organization. High-severity findings like this one are surfaced with priority indicators to accelerate review time.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment Oracle ships a corrected version. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the OPERA 5 HTTP service over the network; no local or physical access is required.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerable endpoint is fully unauthenticated.

  • Victim interactionNot required

    The attack is entirely server-side and requires no action from any user or administrator.

  • Attack complexityDetail

    The exploit is described as easily exploitable with no race conditions or special environmental prerequisites required.

Blast Radius

  • A successful attacker reads all data accessible to the OPERA 5 service, including guest records, reservation details, and stored credentials.
  • The attacker can write or modify persisted data across the service, including reservation state, billing records, and configuration.
  • The attacker can crash or otherwise disable the OPERA 5 service, causing a full denial of hotel property management operations.
  • Because the CVSS scope is unchanged, impact is contained to the OPERA 5 process and its directly accessible data, but full service takeover means all three pillars are compromised within that boundary.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active against all connected registries and pipelines, flagging any image that packages an affected version of OPERA 5 Property Services. Because Oracle has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a corrected version is released upstream. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will fire without manual intervention. In the interim, compensating controls worth reviewing include network-policy rules that restrict inbound HTTP access to the OPERA 5 service to known trusted source addresses, egress filtering to limit the service's outbound reach in the event of compromise, and disabling any non-essential HTTP endpoints exposed by the component where the application supports feature-level gating.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • Oracle Corporation / Oracle Hospitality OPERA 5 Property Services
    5.6.19.24 · 5.6.22 · 5.6.25.19 · 5.6.27.6 · 5.6.28
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References