HarborGuard / CVE
Back to search
CRITICALCVE-2026-46775Published Modified CNA oracle

CVE-2026-46775: Vulnerability in Oracle REST Data Services (component: Core)

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

HarborGuard Analysis

HarborGuard analysis

Synopsis

An authentication-bypass-level privilege escalation vulnerability exists in the Core component of Oracle REST Data Services (ORDS), affecting versions 24.2.0 through 26.1.0. The flaw is reachable over HTTPS from any network with only a low-privileged account required, and no interaction from another user is needed. Successful exploitation results in full takeover of the ORDS instance, with high impact to confidentiality, integrity, and availability, and a scope change that can affect additional dependent products. No fix version has been published by Oracle; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46775 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including internally built images that bundle ORDS versions 24.2.0 through 26.1.0.

Available
Triage

Triage is available using the CVSS 3.1 base score of 9.9 (Critical), weighted against each customer organization's compliance policy to surface priority and route alerts to the appropriate team inbox. Per-environment policy configuration determines whether the finding is treated as a blocking gate in the pipeline or an advisory notification.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle ships a corrected release. In the meantime, compensating controls such as network-policy isolation for ORDS endpoints and egress filtering can be configured and tracked through HarborGuard's policy enforcement layer.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the ORDS service over the network via HTTPS; no local or physical access is needed.

  • AuthenticationRequired

    Any low-privileged account is sufficient; the attacker does not need administrator or elevated credentials to trigger the vulnerability.

  • Victim interactionNot required

    No action from another user or administrator is needed; the attacker can exploit the vulnerability entirely on their own.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race conditions, or memory-layout preparation.

Blast Radius

  • A successful attacker gains full control of the Oracle REST Data Services instance, reading all data served through the ORDS Core component including stored credentials, session tokens, and application records.
  • The attacker can modify or delete persisted data exposed via ORDS, corrupting database-backed applications that depend on it.
  • The attacker can crash or render the ORDS service unavailable, disrupting any application or API layer that relies on it.
  • Because the CVSS scope is changed, compromise can extend to additional products and services connected to the affected ORDS deployment, beyond the initial target.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged as Critical (CVSS 9.9) with no fix version currently available from Oracle, so the primary capability is continuous advisory monitoring. HarborGuard re-evaluates the Oracle advisory on every ingest cycle; the moment a patched release is published, a rebuild at the fix version becomes available automatically, and customers with auto-remediation enabled receive a rebuilt image, a regression-test run, and a PR opened against affected workloads (median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled, once an upstream fix exists). While no patch is available, recommended compensating controls include applying Kubernetes network policies to restrict inbound HTTPS access to ORDS pods to known trusted sources only, enabling egress filtering to limit lateral movement from a compromised ORDS instance, and where possible gating ORDS-dependent features behind application-level feature flags to reduce the blast radius of exploitation.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • Oracle Corporation / Oracle REST Data Services
    ≤ 26.1.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References