How is CVE-2026-46829 exploited?

Network reachability (required): The attacker must be able to reach the ORDS service over the network via HTTPS; no local or physical access is needed. Authentication (not-required): No credentials of any kind are needed; the vulnerable Mongoapi endpoint is accessible to unauthenticated requests. Victim interaction (not-required): The attack is fully remote and automated; no user or administrator action is required to trigger the vulnerability. Attack complexity (info): Exploit complexity is low, meaning the attack is reliable and requires no special conditions, race timing, or environmental setup.

What is the impact of CVE-2026-46829?

Crashes or hangs the Oracle REST Data Services process, taking down all REST and Mongoapi endpoints served by that instance. The outage is repeatedly triggerable, meaning an attacker can sustain the denial of service with minimal effort after the service restarts. Any application or pipeline dependent on ORDS for database REST access loses connectivity for the duration of the attack.

Back to search

HIGHCVE-2026-46829Published 2026-05-28Modified 2026-05-29CNA oracle

CVE-2026-46829: Vulnerability in Oracle REST Data Services (component: Mongoapi)

Vulnerability in Oracle REST Data Services (component: Mongoapi). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle REST Data Services. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

HarborGuard Analysis

HarborGuard analysis

Synopsis

A denial-of-service vulnerability exists in the Mongoapi component of Oracle REST Data Services (ORDS), affecting versions 24.2.0 through 26.1.0. An unauthenticated attacker with network access over HTTPS can reach the affected component without any credentials or user interaction. Successful exploitation causes a complete hang or repeatedly crashable service outage of ORDS. No fix version has been published yet; HarborGuard tracks the upstream advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-46829 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle REST Data Services in the affected version range (24.2.0 to 26.1.0).

Available

Triage

Triage is available with a CVSS 3.1 score of 7.5 (HIGH), weighted against each customer environment's compliance policy to prioritize exposure of internet-facing ORDS deployments. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle publishes a remediated release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads automatically once that upstream fix lands.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the ORDS service over the network via HTTPS; no local or physical access is needed.
AuthenticationNot required
No credentials of any kind are needed; the vulnerable Mongoapi endpoint is accessible to unauthenticated requests.
Victim interactionNot required
The attack is fully remote and automated; no user or administrator action is required to trigger the vulnerability.
Attack complexityDetail
Exploit complexity is low, meaning the attack is reliable and requires no special conditions, race timing, or environmental setup.

Blast Radius

Crashes or hangs the Oracle REST Data Services process, taking down all REST and Mongoapi endpoints served by that instance.
The outage is repeatedly triggerable, meaning an attacker can sustain the denial of service with minimal effort after the service restarts.
Any application or pipeline dependent on ORDS for database REST access loses connectivity for the duration of the attack.

How HarborGuard Handles This

Available on HarborGuard: images containing Oracle REST Data Services in the range 24.2.0 to 26.1.0 are flagged automatically as each customer registry or CI pipeline is scanned. Because Oracle has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment an upstream fix is released. In the interim, customers are advised to apply network-policy controls that restrict HTTPS access to ORDS Mongoapi endpoints to known, trusted sources only, and to consider egress filtering or a reverse-proxy layer that can rate-limit or block anomalous request patterns against the Mongoapi path. For customers with auto-remediation enabled, the patched rebuild, regression-test run, and PR against affected workloads will be initiated automatically once Oracle ships a remediated version.

See how HarborGuard automates this

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Oracle Corporation / Oracle REST Data Services
≤ 26.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Oracle Advisory