HarborGuard / CVE
Back to search
CRITICALCVE-2026-46840Published Modified CNA oracle

CVE-2026-46840: Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service)

Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a complete-takeover vulnerability in Oracle REST Data Services (ORDS), specifically in its Backend-as-a-Service component, affecting versions 24.2.0 through 26.1.0. An unauthenticated attacker with network access over HTTPS can reach the service directly, with no login or user interaction required, and the exploit is reliable with no special conditions needed. Successful exploitation gives the attacker full control of the ORDS instance and, due to a scope change in the CVSS rating, can significantly compromise other products that depend on or integrate with ORDS. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-46840 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle ORDS. Coverage extends to both registry-stored images and images scanned inline in CI/CD pipelines.

Available
Triage

Triage is available with the full CVSS v3.1 score of 10.0 (Critical) surfaced alongside per-environment compliance policy weighting, ensuring the finding is prioritized and routed to the appropriate team inbox within each customer organization. Because this vulnerability carries a scope-change flag, the triage card highlights the potential for cross-product impact beyond the directly affected ORDS container.

Available
Patch

No fix version has been published by Oracle for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream ships a fix. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the ORDS service over the network via HTTPS; internet-exposed or internally routable deployments are directly at risk.

  • AuthenticationNot required

    No credentials or session token of any kind are needed; the attacker can send the exploit request anonymously.

  • Victim interactionNot required

    No user action, click, or browser session is required; the attack is fully server-side.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and repeatable with no dependency on race conditions, specific memory layout, or other environmental factors.

Blast Radius

  • Attacker reads all data accessible to the ORDS process, including database credentials, API keys, and any application data served through the Backend-as-a-Service component.
  • Attacker writes or deletes data through the ORDS interface, modifying database rows, stored procedures, or configuration artifacts.
  • Attacker crashes or indefinitely degrades the ORDS service, taking down any applications that depend on it for REST-based data access.
  • Because the CVSS scope changes, attacker-controlled ORDS can be used as a pivot point to compromise connected Oracle database instances or other integrated backend services.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously with no customer action required to maintain coverage. Because Oracle has not yet published a fix for versions 24.2.0 through 26.1.0, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix version is released. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression-test run and a PR opened against affected workloads, with a typical median time from CVE publication to merged patch PR of around 90 minutes for Critical-severity issues once an upstream fix exists. In the interim, compensating controls worth evaluating include placing ORDS behind a network policy that restricts inbound HTTPS to known-good source CIDRs, enabling egress filtering to limit what a compromised ORDS container can reach inside the broader environment, and disabling the Backend-as-a-Service component via feature-flag or deployment configuration if it is not actively used. Where compliance policy permits, HarborGuard can flag any newly pushed image containing an affected ORDS version and block promotion to production registries until a patched version becomes available.

See how HarborGuard automates this

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • Oracle Corporation / Oracle REST Data Services
    ≤ 26.1.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References