HarborGuard / CVE
Back to search
HIGHCVE-2026-35277Published Modified CNA oracle

CVE-2026-35277: Vulnerability in Oracle REST Data Services (component: Core)

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

HarborGuard Analysis

HarborGuard analysis

Synopsis

An access-control vulnerability in the Core component of Oracle REST Data Services (versions 24.2.0 through 26.1.0) allows a low-privileged attacker to reach the service over HTTPS and bypass authorization checks. Successful exploitation gives the attacker full read access to all data the service can reach, plus the ability to create, modify, or delete critical records. No fix version has been published; HarborGuard tracks the Oracle advisory and will surface a patched-image rebuild the moment one becomes available.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle REST Data Services. Any image running an affected version (24.2.0 through 26.1.0) will appear in the findings list automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it against each environment's configured compliance policy to determine urgency and routing. Triage notifications are dispatched to the inbox or ticketing integration configured for the relevant team inside each customer organization.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates the Oracle advisory on every ingest cycle; a patched-image rebuild will become available automatically the moment Oracle ships a remediated release. In the interim, customers can apply compensating controls such as network-policy rules that restrict HTTPS access to Oracle REST Data Services to trusted service accounts only.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle REST Data Services endpoint over the network via HTTPS; the service does not need to be internet-facing, but it must be reachable from the attacker's position.

  • AuthenticationRequired

    Any low-privilege account with network access is sufficient; no administrative or elevated credentials are needed.

  • Victim interactionNot required

    No user interaction is needed; the attacker operates entirely against the service without involving another person.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, timing windows, or environmental prerequisites.

Blast Radius

  • Reads all data accessible through Oracle REST Data Services, including database rows, stored credentials, and any sensitive application data exposed via REST endpoints.
  • Creates, modifies, or deletes critical data records persisted in the underlying Oracle database schemas served by the component.
  • Scope of impact is limited to confidentiality and integrity; the service itself is not crashed and availability is not directly affected.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-35277, the platform continuously re-checks the advisory on each ingest cycle and will generate a patched-image rebuild automatically once an upstream remediated version is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. While no patch is available, recommended compensating controls include applying Kubernetes or cloud network policies to restrict HTTPS access to Oracle REST Data Services endpoints to known, authorized service identities only; enforcing least-privilege account provisioning so that credentials with REST Data Services access are tightly scoped; and enabling egress filtering to limit lateral movement if an account is compromised. Any image running versions 24.2.0 through 26.1.0 detected in a customer registry will surface in the HarborGuard findings dashboard with the HIGH severity label and compliance-policy weighting applied.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • Oracle Corporation / Oracle REST Data Services
    ≤ 26.1.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References