HarborGuard / CVE
Back to search
HIGHCVE-2026-35266Published Modified CNA oracle

CVE-2026-35266: Vulnerability in Oracle REST Data Services (component: Core)

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L).

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a network-exploitable vulnerability in Oracle REST Data Services (Core component), affecting versions 24.2.0 through 26.1.0. An attacker with a low-privilege account who can reach the service over HTTPS must also engineer human interaction from another user to trigger the flaw; the attack is rated high complexity. Successful exploitation enables full read and write access to all data accessible through Oracle REST Data Services, plus partial disruption of the service, with scope change meaning downstream products beyond ORDS itself can be impacted. No fix versions have been published by Oracle; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-35266 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that package Oracle REST Data Services. Any image running a version between 24.2.0 and 26.1.0 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 7.9 (HIGH) and applying per-environment compliance policy weighting to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available based on policy configuration, ensuring the right owners see the alert without manual sorting.

Available
Patch

Because no fix version has been published by Oracle, a patched-image rebuild is not yet available. HarborGuard re-checks the advisory on every ingest cycle and will make a patched rebuild available, along with an automated PR against affected workloads for customers with auto-remediation enabled, as soon as Oracle ships a fix.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle REST Data Services instance over the network via HTTPS; local or physical access alone is not sufficient.

  • AuthenticationRequired

    A valid low-privilege account on the target service is needed; unauthenticated access is not enough to trigger this vulnerability.

  • Victim interactionRequired

    A separate user (not the attacker) must take some action, such as visiting a crafted URL or interacting with a malicious request, for the attack to succeed.

  • Attack complexityDetail

    Exploitation is rated high complexity, meaning the attacker must meet specific environmental conditions or timing constraints beyond just network access and credentials.

Blast Radius

  • A successful attacker reads all data accessible through Oracle REST Data Services, including sensitive application records and credentials exposed via REST endpoints.
  • The attacker creates, modifies, or deletes critical data stored behind Oracle REST Data Services, corrupting application state or destroying records.
  • Because the scope changes, products and services that consume Oracle REST Data Services as a backend can also be affected, extending the impact beyond the ORDS instance itself.
  • The attacker partially disrupts Oracle REST Data Services availability, degrading or intermittently blocking legitimate access to the service.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35266 is active across connected registries and pipelines for all images packaging Oracle REST Data Services versions 24.2.0 through 26.1.0. Because Oracle has not published a fix version, no patched-image rebuild is currently available. HarborGuard monitors the Oracle advisory on every ingest cycle and will surface a rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment a fix is published upstream. In the interim, compensating controls worth considering include network-policy isolation to restrict HTTPS access to ORDS endpoints to known, trusted clients only; egress filtering to limit what the ORDS instance can reach if scope-change lateral movement is a concern; and review of which low-privilege accounts have access to the service, reducing the pool of credentials an attacker could leverage.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.9
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • Oracle Corporation / Oracle REST Data Services
    ≤ 26.1.0
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L
References