How is CVE-2026-46833 exploited?

Network reachability (required): The attacker must be able to reach the Oracle Net Service endpoint over the network via TLS; there is no requirement for local or physical access. Authentication (not-required): No credentials or account are needed; the attack is reachable by any unauthenticated party who can connect to the service. Victim interaction (not-required): The attack is fully server-side and requires no action from any user or administrator on the target system. Attack complexity (info): Attack complexity is rated High, meaning exploitation is not trivially repeatable and likely requires specific timing, environmental conditions, or careful protocol-level manipulation to succeed reliably.

What is the impact of CVE-2026-46833?

A successful attacker gains full read access to data handled by Net Service, including in-transit database credentials and query results. The attacker can modify or inject data passing through Net Service, corrupting database transactions or altering application responses. The attacker can crash or render Net Service unavailable, taking down database connectivity for all dependent applications. Due to the CVSS scope change, compromise of Net Service can extend to other products or components that share the same host or trust relationship, broadening the attacker's footprint beyond the database tier.

Back to search

CRITICALCVE-2026-46833Published 2026-05-28Modified 2026-05-29CNA oracle

CVE-2026-46833: Vulnerability in the Net Service component of Oracle Database Server

Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. While the vulnerability is in Net Service, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Net Service. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

HarborGuard Analysis

HarborGuard analysis

Synopsis

A critical-severity vulnerability exists in the Net Service component of Oracle Database Server (versions 23.4.0 through 23.26.2). An unauthenticated attacker with network access can reach the service over TLS and, under difficult but feasible conditions, achieve full takeover of Net Service, with impacts that extend beyond the database component itself due to a scope change in the CVSS vector. Successful exploitation gives an attacker complete control over confidentiality, integrity, and availability of the affected component and potentially dependent systems. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46833 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that incorporate affected Oracle Database Server layers. Any image found running a version in the 23.4.0 to 23.26.2 range is flagged immediately.

Available

Triage

HarborGuard scores this CVE at 9.0 Critical (CVSS v3.1) and is capable of weighting that score against each customer environment's compliance policy to prioritize routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured escalation rules.

Available

Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Oracle Net Service endpoint over the network via TLS; there is no requirement for local or physical access.
AuthenticationNot required
No credentials or account are needed; the attack is reachable by any unauthenticated party who can connect to the service.
Victim interactionNot required
The attack is fully server-side and requires no action from any user or administrator on the target system.
Attack complexityDetail
Attack complexity is rated High, meaning exploitation is not trivially repeatable and likely requires specific timing, environmental conditions, or careful protocol-level manipulation to succeed reliably.

Blast Radius

A successful attacker gains full read access to data handled by Net Service, including in-transit database credentials and query results.
The attacker can modify or inject data passing through Net Service, corrupting database transactions or altering application responses.
The attacker can crash or render Net Service unavailable, taking down database connectivity for all dependent applications.
Due to the CVSS scope change, compromise of Net Service can extend to other products or components that share the same host or trust relationship, broadening the attacker's footprint beyond the database tier.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46833 is active across customer registries and CI pipelines for all images containing Oracle Database Server 23.4.0 through 23.26.2. Because Oracle has not yet published a fix version, no patched-image rebuild is currently available. HarborGuard re-evaluates the upstream advisory on every ingest cycle and will trigger the rebuild-and-PR flow automatically for customers with auto-remediation enabled the moment Oracle ships a patch. In the interim, compensating controls worth considering include network-policy rules that restrict TLS access to Oracle Net Service listeners to known application subnets only, egress filtering to limit lateral movement if a host is compromised, and review of any cross-component trust relationships that could widen the blast radius given the scope-change rating of this CVE.

See how HarborGuard automates this

CVSS v3.1: 9.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Oracle Corporation / Oracle Database Server
≤ 23.26.2

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Oracle Advisory