HarborGuard / CVE
Back to search
CRITICALCVE-2026-46839Published Modified CNA oracle

CVE-2026-46839: Vulnerability in Oracle REST Data Services (component: Core)

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

HarborGuard Analysis

HarborGuard analysis

Synopsis

A critical authentication-partial network vulnerability exists in the Core component of Oracle REST Data Services (ORDS), affecting versions 24.2.0 through 26.1.0. The flaw is reachable over HTTPS from any network location and requires only a low-privileged account to trigger; no victim interaction is needed. Successful exploitation gives an attacker full control of the ORDS instance and can cascade to compromise additional connected products, covering complete loss of confidentiality, integrity, and availability. No fix version has been published by Oracle; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from Oracle and upstream security feeds within minutes of publication and matched against all customer images, including custom-built images that bundle ORDS. Any image running an affected version (24.2.0 through 26.1.0) will surface in the findings dashboard automatically.

Available
Triage

HarborGuard scores this finding at CVSS 9.9 Critical and weights it against each environment's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle ships a corrected release. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically without any manual intervention required.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the ORDS service over the network via HTTPS; no local or physical access is assumed.

  • AuthenticationRequired

    Any low-privileged account on the ORDS instance is sufficient; no administrative rights are needed.

  • Victim interactionNot required

    No user action or social engineering is required; the attacker can trigger the vulnerability directly.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and repeatable without depending on race conditions, specific memory layout, or other environmental factors.

Blast Radius

  • A successful attacker reads all data accessible through the ORDS instance, including database credentials, API tokens, and any application data exposed via REST endpoints.
  • The attacker can write, modify, or delete persisted database rows and ORDS configuration, corrupting application state or planting backdoors.
  • The ORDS service can be crashed or rendered completely unavailable, disrupting all dependent applications and database API consumers.
  • Because the CVSS scope is marked as Changed, compromise can propagate to additional products connected to the same database or identity infrastructure beyond the ORDS process itself.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46839, the immediate capability is continuous advisory monitoring. Every ingest cycle re-checks the Oracle security feed; if a patched version ships, a rebuilt image at that version becomes available for affected environments within minutes, and customers with auto-remediation enabled will receive a rebuild, a regression-test run, and a PR opened against affected workloads automatically. While awaiting a patch, HarborGuard's network-policy tooling can be used to scope HTTPS access to ORDS down to only the services and users that strictly require it, reducing the pool of accounts from which a low-privileged attacker could reach the vulnerable endpoint. Egress filtering can limit lateral movement if the service is compromised. Given the Critical severity and scope-change potential, customers running affected versions (24.2.0 through 26.1.0) should treat this as a priority finding and apply compensating controls through the HarborGuard policy console until Oracle publishes a fix.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • Oracle Corporation / Oracle REST Data Services
    ≤ 26.1.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References