ZeroPath at Black Hat USA 2026

Oracle REST Data Services CVE-2026-35277: Brief Summary of a High Severity Data Access Vulnerability in the Core Component

A short review of CVE-2026-35277, a CVSS 8.1 vulnerability in Oracle REST Data Services that allows low privileged attackers to read and modify critical data across all ORDS accessible resources via HTTPS.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

Oracle REST Data Services CVE-2026-35277: Brief Summary of a High Severity Data Access Vulnerability in the Core Component
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Oracle's inaugural monthly Critical Security Patch Update for May 2026 addresses 11 vulnerabilities in Oracle REST Data Services alone, and CVE-2026-35277 stands out as a particularly accessible attack path: a low privileged user with nothing more than basic HTTPS access can read, create, delete, or modify critical data across the entire ORDS deployment. For organizations running any ORDS version from 24.2.0 through 26.1.0, which covers roughly two years of releases, this vulnerability exposes the primary gateway between web clients and Oracle Database to unauthorized data operations.

Oracle REST Data Services (ORDS) is a Java EE based HTTPS web gateway that sits in front of Oracle Database, providing RESTful API access to database operations. It powers Oracle APEX applications, Database Actions (the web based administration interface), and a suite of over 500 REST APIs covering PDB lifecycle management, performance monitoring, security administration, data dictionary access, and data pump operations. ORDS can be deployed on Oracle WebLogic Server, Apache Tomcat, or in standalone mode, making it a ubiquitous component in Oracle Database environments across enterprises worldwide.

Technical Information

Vulnerability Profile

CVE-2026-35277 targets the Core component of Oracle REST Data Services. The Core component is the central Java EE implementation responsible for command line configuration, enhanced security, file caching, and the delivery of RESTful web services. This is not a peripheral module; it is the foundational layer through which all ORDS operations flow.

The vulnerability carries a CVSS 3.1 Base Score of 8.1 with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. No CWE ID has been assigned, which limits formal classification through standard weakness enumeration frameworks. Oracle has not disclosed the specific vulnerability mechanism, consistent with their policy of withholding exploitation details until customers have had the opportunity to patch.

CVSS Vector Decomposition

Each metric in the CVSS vector tells us something specific about the attack surface:

CVSS MetricValueSecurity Implication
Attack Vector (AV)NetworkExploitable remotely; no physical or local access required
Attack Complexity (AC)LowNo specialized conditions needed; exploitation is straightforward
Privileges Required (PR)LowOnly low privilege credentials needed, not administrative access
User Interaction (UI)NoneFully automated attack possible; no user action required
Scope (S)UnchangedImpact confined to the ORDS component itself
Confidentiality (C)HighComplete access to all ORDS accessible data
Integrity (I)HighUnauthorized creation, deletion, or modification of critical data
Availability (A)NoneNo impact on service availability

The Oracle risk matrix confirms that the vulnerability "cannot be exploited remotely without authentication," meaning some level of credentials are required. However, the bar is low: only low privilege credentials are needed, not administrative access.

Attack Flow Analysis

Based on the CVSS characteristics and the architecture of ORDS, we can outline the likely attack flow:

  1. Initial Access: The attacker obtains low privilege credentials for an ORDS deployment. These could come from credential stuffing, phishing, insider access, or any other credential acquisition technique. The credentials need only provide basic authenticated access to the ORDS HTTPS endpoint.

  2. Exploitation: The attacker crafts specific HTTPS requests to the ORDS Core component that bypass or exceed the intended authorization boundaries of their low privilege account. The attack uses the same HTTPS protocol as legitimate ORDS traffic, making it difficult to distinguish from normal operations at the network layer.

  3. Data Access and Manipulation: Successful exploitation grants the attacker unauthorized read access to all ORDS accessible data (High confidentiality impact) as well as the ability to create, delete, or modify critical data (High integrity impact). Given that ORDS serves as the gateway to Oracle Database operations across 500+ REST APIs, the scope of accessible data could be extensive.

  4. No Availability Impact: The attack does not cause service disruption, meaning it can be conducted silently without triggering availability based alerts.

The combination of HTTPS as the attack protocol, low complexity, and no user interaction requirement means this vulnerability could be exploited programmatically at scale against any exposed ORDS endpoint where the attacker holds valid low privilege credentials.

Context Within the May 2026 CSPU

CVE-2026-35277 does not exist in isolation. It is one of 11 ORDS vulnerabilities addressed in the May 2026 CSPU, seven of which are remotely exploitable without authentication. The full set of ORDS CVEs in this update includes:

CVECVSSComponentPrivileges RequiredKey Impact
CVE-2026-4684010.0Backend as a ServiceNoneFull takeover with scope change
CVE-2026-468399.9CoreLowTakeover with scope change
CVE-2026-467759.9CoreLowTakeover with scope change
CVE-2026-352778.1CoreLowUnauthorized data access and modification
CVE-2026-352667.9CoreLowFull data compromise, partial DoS
CVE-2026-468297.5MongoapiNoneComplete denial of service
CVE-2026-468435.3CoreNonePartial denial of service
CVE-2026-468425.3CoreNoneUnauthorized update/insert/delete
CVE-2026-468415.3GeneralNoneUnauthorized read access
CVE-2026-468305.3MongoapiNoneUnauthorized read access

The presence of two CVSS 9.9 vulnerabilities and one CVSS 10.0 vulnerability in the same component family suggests systemic issues in the ORDS authorization and access control architecture rather than an isolated defect. Organizations that address CVE-2026-35277 in isolation risk leaving themselves exposed to the more severe CVE-2026-46839 and CVE-2026-46840.

Deployment Topology Considerations

ORDS supports three deployment topologies: Oracle WebLogic Server, Apache Tomcat, and standalone mode. All three are potentially affected since the vulnerability resides in the Core component, which is common across all deployment configurations. Organizations should inventory all ORDS deployments regardless of the underlying application server.

Affected Systems and Versions

All supported Oracle REST Data Services versions from 24.2.0 through 26.1.0 are affected. This range covers approximately two years of releases and represents the entire currently supported ORDS version spectrum.

Affected deployment configurations include:

  • ORDS deployed on Oracle WebLogic Server
  • ORDS deployed on Apache Tomcat
  • ORDS deployed in standalone mode

Any ORDS instance within the affected version range that is accessible over HTTPS and has low privilege user accounts is potentially vulnerable.

Vendor Security History

Oracle's security posture around ORDS has shifted significantly in 2026. The vulnerability trend data tells a clear story:

YearORDS VulnerabilitiesAverage CVSSNotable Pattern
2026 (through May)107.45Surge in volume and severity; includes CVSS 9.9 and 10.0
202516.1Single vulnerability (CVE-2025-30756)
2021125.58Dominated by third party components (jQuery, Jetty, SheetJS)
202045.63Mix of Jetty and Oracle native vulnerabilities
201946.10Third party libraries (Jetty, jQuery, Hibernate)

The 2026 surge from 1 to 10 vulnerabilities represents a 900% increase, with the average severity rising by 1.35 CVSS points compared to 2025. Notably, the 2026 vulnerabilities are concentrated in Oracle native Core component issues rather than the third party library vulnerabilities that dominated earlier years. This shift correlates with ORDS's expanded role as the primary HTTPS gateway and the broadening of its API surface.

Across the broader Oracle portfolio, 2026 CPUs have already addressed 337 vulnerabilities. Oracle has also faced cloud security incidents, including a breach attributed to a threat actor known as "rose87168" that allegedly compromised approximately 6 million records from Oracle's legacy Gen 1 cloud servers.

Oracle products have a documented history of targeted exploitation by sophisticated threat actors. SLCyber research demonstrated that CVE-2021-35587 in Oracle Identity Manager was exploited for pre authentication remote code execution and data exfiltration, illustrating that Oracle vulnerabilities remain viable targets when organizations delay patching. The Clop ransomware group has also conducted data extortion campaigns targeting Oracle E-Business Suite deployments.

The May 2026 CSPU marks Oracle's transition from quarterly Critical Patch Updates to monthly Critical Security Patch Updates. This accelerated cadence reduces the exposure window from approximately 90 days to 30 days but increases the operational burden on Oracle administrators. Organizations will need to adapt their patch management workflows to accommodate monthly cycles beginning with the June 2026 CSPU.

Mitigation Guidance

The definitive remediation for CVE-2026-35277 is applying the May 2026 Critical Security Patch Update. ORDS follows a version based upgrade model; there are no separate patches released for ORDS. Administrators must download the latest ORDS version and install it, which upgrades the existing installation.

Oracle strongly recommends applying patches without delay, noting that attackers have historically targeted systems that remain unpatched after security fixes are released.

For organizations that cannot immediately apply the CSPU, the following compensating controls are worth considering:

  • Audit low privilege ORDS accounts: Since exploitation requires low privilege credentials, minimize the number of active accounts with ORDS access. Disable or suspend accounts that do not require ORDS interaction.
  • Network segmentation: Limit HTTPS access to ORDS endpoints to trusted internal networks. Deploy ORDS behind web application firewalls or reverse proxies capable of inspecting and filtering HTTPS requests to the Core component.
  • Enhanced monitoring: Implement detailed logging for all HTTPS requests targeting ORDS Core REST APIs. Look for anomalous request patterns from low privilege accounts that exceed expected data access or modification patterns. The absence of availability impact means exploitation will not trigger uptime alerts, so data access monitoring is essential.
  • Apply the full CSPU: Given the 11 ORDS vulnerabilities in this update (seven remotely exploitable without authentication), partial remediation leaves critical gaps. The CVSS 9.9 and 10.0 vulnerabilities in the same update are more severe than CVE-2026-35277 and should not be overlooked.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization