ZeroPath at Black Hat USA 2026

Oracle Hospitality OPERA 5 CVE-2026-34311: Brief Summary of a Critical Unauthenticated Takeover Vulnerability

A brief summary of CVE-2026-34311, a CVSS 9.8 unauthenticated takeover vulnerability in Oracle Hospitality OPERA 5 Property Services affecting five supported versions across the 5.6.x release family.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

Oracle Hospitality OPERA 5 CVE-2026-34311: Brief Summary of a Critical Unauthenticated Takeover Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated attacker with nothing more than HTTP access to an Oracle Hospitality OPERA 5 Property Services instance can achieve complete system takeover, gaining full control over guest data, reservation records, and payment information stored in one of the hospitality industry's most widely deployed property management systems. CVE-2026-34311 carries a CVSS 3.1 base score of 9.8 and affects five supported versions spanning the 5.6.x release family, making it relevant to a significant portion of the global OPERA 5 installed base.

Oracle Hospitality OPERA is the dominant property management system (PMS) in the hotel industry, recognized as a Leader in the IDC MarketScape: Worldwide Hospitality Property Management Systems 2025 Vendor Assessment. Its customer base includes major brands such as Hyatt, IHG Hotels and Resorts, Radisson, Sonesta, Omni, and Rotana. Oracle reported USD 6.7 billion in hospitality related cloud revenue for fiscal 2025, and North America alone holds a projected 33.2% share of the global hotel management software market in 2026. A critical vulnerability in this product has implications for thousands of hotel properties and millions of guest records worldwide.

Technical Information

Vulnerability Characteristics

CVE-2026-34311 is a critical vulnerability in the Opera component of Oracle Hospitality OPERA 5 Property Services. The flaw was published to the NVD on May 28, 2026, and is addressed in the Oracle May 2026 Critical Security Patch Update.

Oracle's description states: "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality OPERA 5 Property Services."

The NVD has not assigned a CWE classification to this vulnerability as of the publication date, which limits automated vulnerability classification. Security teams should manually categorize this based on the known attack pattern: unauthenticated remote takeover via HTTP.

CVSS Vector Breakdown

The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, which breaks down as follows:

CVSS MetricValueSignificance
Attack Vector (AV)Network (N)Exploitable remotely over the internet
Attack Complexity (AC)Low (L)No special conditions or advanced techniques required
Privileges Required (PR)None (N)No authentication credentials needed
User Interaction (UI)None (N)Victim does not need to take any action
Scope (S)Unchanged (U)Impact limited to the vulnerable component
Confidentiality (C)High (H)Total information disclosure
Integrity (I)High (H)Total modification of data possible
Availability (A)High (H)Total shutdown of the service possible

The combination of AV:N, AC:L, PR:N, and UI:N is the worst possible attack surface profile. An attacker needs only network access to an OPERA 5 HTTP endpoint. There are no barriers of authentication, complexity, or user interaction.

Attack Surface Context from Prior OPERA 5 Vulnerabilities

Oracle's stated policy is to not disclose detailed vulnerability information in their Critical Patch Update advisories. However, the Opera component has been the subject of multiple independent security research disclosures that illuminate the attack surface CVE-2026-34311 likely inhabits.

CVE-2023-21932 (Pre-Authentication RCE, CVSS 9.8): Security researchers from Assetnote demonstrated that this vulnerability was an order of operations flaw where the product sanitized an encrypted payload before decrypting it. This allowed an attacker to inject malicious content that bypassed sanitization entirely. The researchers published the Java file used to encrypt arbitrary strings, making replication trivial. They achieved pre-authentication remote code execution by uploading a CGI web shell to the local file system. Notably, Oracle initially rated this vulnerability as "difficult to exploit" requiring high privileges, but independent researchers demonstrated it was exploitable without any authentication. This discrepancy between Oracle's severity assessment and actual exploitability is worth keeping in mind when evaluating CVE-2026-34311.

CVE-2026-21967 (SSRF with Credential Disclosure, CVSS v4.0 8.7): PwC's Dark Lab research team traced this flaw to the OperaServlet, where the urladdress parameter is consumed by the callreport function to open a direct URL connection to an attacker specified address without validation. The server transmits internal state data and leaks reusable database credentials (in dbuser/dbpswd@dbschema format) in plaintext to the attacker's server, enabling direct read/write access to the OPERA database via sqlplus.

CVE-2026-21966 (Reflected XSS, CVSS v4.0 5.1): Dark Lab identified a reflected XSS in the OperaPrint servlet within the OperaLogin.war module, where Utility.sanitizeParameterString only sanitized the parameter value while leaving the parameter name unsanitized. They bypassed browser URL encoding by weaponizing an HTML entity bypass using the ' entity within an onload attribute.

Inferred Attack Pattern

These precedents establish a clear pattern: the Opera component's HTTP handling layer has systemic weaknesses in input validation and authentication enforcement. Each prior flaw exposed a different failure mode in the same component. CVE-2026-34311, with its 9.8 CVSS and "takeover" outcome, likely exploits a similar class of flaw where attacker controlled data reaches sensitive application logic before proper validation or authentication checks are applied. The breadth of affected versions across multiple release branches (5.6.19 through 5.6.28) indicates the vulnerability exists in core Opera component code shared across these versions.

Data at Risk

A successful takeover of Oracle Hospitality OPERA 5 exposes vast quantities of personally identifiable information including guest names, emails, room allocations, and payment card data. Dark Lab demonstrated that exploitation of CVE-2026-21967 alone enabled direct read/write access to the OPERA database, exposing guest PII in bulk. A full system takeover via CVE-2026-34311 would provide even greater access, potentially including guest reservation data, payment card information (triggering PCI DSS breach obligations), hotel operational systems (enabling ransomware deployment), and internal network pivoting capabilities to enumerate and attack other hotel systems.

Affected Systems and Versions

Five supported versions of Oracle Hospitality OPERA 5 Property Services are confirmed affected:

Affected VersionVersion Family
5.6.19.245.6.19.x
5.6.225.6.22
5.6.25.195.6.25.x
5.6.27.65.6.27.x
5.6.285.6.28

The vulnerability spans multiple release branches from 5.6.19 through 5.6.28, indicating the flaw resides in core shared code within the Opera component. Any on premises OPERA 5 installation running one of these versions is exposed. Organizations migrating to OPERA Cloud may have reduced exposure, but on premises OPERA 5 deployments remain widespread across the hospitality industry.

Given that OPERA's customer base includes brands like Hyatt, IHG, Radisson, Sonesta, Omni, and Rotana, the potential blast radius spans thousands of hotel properties globally.

Vendor Security History

The OPERA 5 Property Services product has accumulated a notable track record of critical vulnerabilities, particularly in the Opera component:

CVEYearTypeCVSSKey Detail
CVE-2023-219322023Pre-auth RCE (order of operations)9.8 (corrected by researchers)Sanitization before decryption; CGI web shell upload
CVE-2024-211722024Unauthenticated HTTP compromiseLower (Oracle rated "difficult")Unauthenticated attacker via HTTP
CVE-2026-219662026Reflected XSS5.1 (CVSS v4.0)OperaPrint servlet; HTML entity bypass
CVE-2026-219672026SSRF with credential disclosure8.7 (CVSS v4.0)OperaServlet urladdress; DB credentials leaked in plaintext
CVE-2026-343112026Unauthenticated takeover9.8Opera component; full system takeover

The recurrence of critical, unauthenticated vulnerabilities in the Opera component across multiple CPU cycles suggests a systemic issue rather than isolated bugs. Oracle's nondisclosure policy around vulnerability details compounds the problem: security teams cannot independently assess the true risk or develop targeted compensating controls without third party research.

It is also worth noting that Oracle has historically under rated the severity of OPERA vulnerabilities. For CVE-2023-21932, Oracle's initial assessment described the flaw as difficult to exploit and requiring high privileges. Independent researchers from Assetnote subsequently demonstrated it was trivially exploitable without any authentication. This pattern raises the question of whether CVE-2026-34311's actual exploitability could exceed even its already critical 9.8 assessment.

In broader context, Oracle has patched record numbers of vulnerabilities in past CPU cycles, with more than half being remotely exploitable without authentication in some releases, and 40 rated Critical with 25 having a CVSS score above 9.0 in one notable cycle.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization