Introduction
Oracle's inaugural monthly Critical Security Patch Update for May 2026 addresses 11 vulnerabilities in Oracle REST Data Services alone, and CVE-2026-35277 stands out as a particularly accessible attack path: a low privileged user with nothing more than basic HTTPS access can read, create, delete, or modify critical data across the entire ORDS deployment. For organizations running any ORDS version from 24.2.0 through 26.1.0, which covers roughly two years of releases, this vulnerability exposes the primary gateway between web clients and Oracle Database to unauthorized data operations.
Oracle REST Data Services (ORDS) is a Java EE based HTTPS web gateway that sits in front of Oracle Database, providing RESTful API access to database operations. It powers Oracle APEX applications, Database Actions (the web based administration interface), and a suite of over 500 REST APIs covering PDB lifecycle management, performance monitoring, security administration, data dictionary access, and data pump operations. ORDS can be deployed on Oracle WebLogic Server, Apache Tomcat, or in standalone mode, making it a ubiquitous component in Oracle Database environments across enterprises worldwide.
Technical Information
Vulnerability Profile
CVE-2026-35277 targets the Core component of Oracle REST Data Services. The Core component is the central Java EE implementation responsible for command line configuration, enhanced security, file caching, and the delivery of RESTful web services. This is not a peripheral module; it is the foundational layer through which all ORDS operations flow.
The vulnerability carries a CVSS 3.1 Base Score of 8.1 with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. No CWE ID has been assigned, which limits formal classification through standard weakness enumeration frameworks. Oracle has not disclosed the specific vulnerability mechanism, consistent with their policy of withholding exploitation details until customers have had the opportunity to patch.
CVSS Vector Decomposition
Each metric in the CVSS vector tells us something specific about the attack surface:
| CVSS Metric | Value | Security Implication |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely; no physical or local access required |
| Attack Complexity (AC) | Low | No specialized conditions needed; exploitation is straightforward |
| Privileges Required (PR) | Low | Only low privilege credentials needed, not administrative access |
| User Interaction (UI) | None | Fully automated attack possible; no user action required |
| Scope (S) | Unchanged | Impact confined to the ORDS component itself |
| Confidentiality (C) | High | Complete access to all ORDS accessible data |
| Integrity (I) | High | Unauthorized creation, deletion, or modification of critical data |
| Availability (A) | None | No impact on service availability |
The Oracle risk matrix confirms that the vulnerability "cannot be exploited remotely without authentication," meaning some level of credentials are required. However, the bar is low: only low privilege credentials are needed, not administrative access.
Attack Flow Analysis
Based on the CVSS characteristics and the architecture of ORDS, we can outline the likely attack flow:
-
Initial Access: The attacker obtains low privilege credentials for an ORDS deployment. These could come from credential stuffing, phishing, insider access, or any other credential acquisition technique. The credentials need only provide basic authenticated access to the ORDS HTTPS endpoint.
-
Exploitation: The attacker crafts specific HTTPS requests to the ORDS Core component that bypass or exceed the intended authorization boundaries of their low privilege account. The attack uses the same HTTPS protocol as legitimate ORDS traffic, making it difficult to distinguish from normal operations at the network layer.
-
Data Access and Manipulation: Successful exploitation grants the attacker unauthorized read access to all ORDS accessible data (High confidentiality impact) as well as the ability to create, delete, or modify critical data (High integrity impact). Given that ORDS serves as the gateway to Oracle Database operations across 500+ REST APIs, the scope of accessible data could be extensive.
-
No Availability Impact: The attack does not cause service disruption, meaning it can be conducted silently without triggering availability based alerts.
The combination of HTTPS as the attack protocol, low complexity, and no user interaction requirement means this vulnerability could be exploited programmatically at scale against any exposed ORDS endpoint where the attacker holds valid low privilege credentials.
Context Within the May 2026 CSPU
CVE-2026-35277 does not exist in isolation. It is one of 11 ORDS vulnerabilities addressed in the May 2026 CSPU, seven of which are remotely exploitable without authentication. The full set of ORDS CVEs in this update includes:
| CVE | CVSS | Component | Privileges Required | Key Impact |
|---|---|---|---|---|
| CVE-2026-46840 | 10.0 | Backend as a Service | None | Full takeover with scope change |
| CVE-2026-46839 | 9.9 | Core | Low | Takeover with scope change |
| CVE-2026-46775 | 9.9 | Core | Low | Takeover with scope change |
| CVE-2026-35277 | 8.1 | Core | Low | Unauthorized data access and modification |
| CVE-2026-35266 | 7.9 | Core | Low | Full data compromise, partial DoS |
| CVE-2026-46829 | 7.5 | Mongoapi | None | Complete denial of service |
| CVE-2026-46843 | 5.3 | Core | None | Partial denial of service |
| CVE-2026-46842 | 5.3 | Core | None | Unauthorized update/insert/delete |
| CVE-2026-46841 | 5.3 | General | None | Unauthorized read access |
| CVE-2026-46830 | 5.3 | Mongoapi | None | Unauthorized read access |
The presence of two CVSS 9.9 vulnerabilities and one CVSS 10.0 vulnerability in the same component family suggests systemic issues in the ORDS authorization and access control architecture rather than an isolated defect. Organizations that address CVE-2026-35277 in isolation risk leaving themselves exposed to the more severe CVE-2026-46839 and CVE-2026-46840.
Deployment Topology Considerations
ORDS supports three deployment topologies: Oracle WebLogic Server, Apache Tomcat, and standalone mode. All three are potentially affected since the vulnerability resides in the Core component, which is common across all deployment configurations. Organizations should inventory all ORDS deployments regardless of the underlying application server.
Affected Systems and Versions
All supported Oracle REST Data Services versions from 24.2.0 through 26.1.0 are affected. This range covers approximately two years of releases and represents the entire currently supported ORDS version spectrum.
Affected deployment configurations include:
- ORDS deployed on Oracle WebLogic Server
- ORDS deployed on Apache Tomcat
- ORDS deployed in standalone mode
Any ORDS instance within the affected version range that is accessible over HTTPS and has low privilege user accounts is potentially vulnerable.
Vendor Security History
Oracle's security posture around ORDS has shifted significantly in 2026. The vulnerability trend data tells a clear story:
| Year | ORDS Vulnerabilities | Average CVSS | Notable Pattern |
|---|---|---|---|
| 2026 (through May) | 10 | 7.45 | Surge in volume and severity; includes CVSS 9.9 and 10.0 |
| 2025 | 1 | 6.1 | Single vulnerability (CVE-2025-30756) |
| 2021 | 12 | 5.58 | Dominated by third party components (jQuery, Jetty, SheetJS) |
| 2020 | 4 | 5.63 | Mix of Jetty and Oracle native vulnerabilities |
| 2019 | 4 | 6.10 | Third party libraries (Jetty, jQuery, Hibernate) |
The 2026 surge from 1 to 10 vulnerabilities represents a 900% increase, with the average severity rising by 1.35 CVSS points compared to 2025. Notably, the 2026 vulnerabilities are concentrated in Oracle native Core component issues rather than the third party library vulnerabilities that dominated earlier years. This shift correlates with ORDS's expanded role as the primary HTTPS gateway and the broadening of its API surface.
Across the broader Oracle portfolio, 2026 CPUs have already addressed 337 vulnerabilities. Oracle has also faced cloud security incidents, including a breach attributed to a threat actor known as "rose87168" that allegedly compromised approximately 6 million records from Oracle's legacy Gen 1 cloud servers.
Oracle products have a documented history of targeted exploitation by sophisticated threat actors. SLCyber research demonstrated that CVE-2021-35587 in Oracle Identity Manager was exploited for pre authentication remote code execution and data exfiltration, illustrating that Oracle vulnerabilities remain viable targets when organizations delay patching. The Clop ransomware group has also conducted data extortion campaigns targeting Oracle E-Business Suite deployments.
The May 2026 CSPU marks Oracle's transition from quarterly Critical Patch Updates to monthly Critical Security Patch Updates. This accelerated cadence reduces the exposure window from approximately 90 days to 30 days but increases the operational burden on Oracle administrators. Organizations will need to adapt their patch management workflows to accommodate monthly cycles beginning with the June 2026 CSPU.
Mitigation Guidance
The definitive remediation for CVE-2026-35277 is applying the May 2026 Critical Security Patch Update. ORDS follows a version based upgrade model; there are no separate patches released for ORDS. Administrators must download the latest ORDS version and install it, which upgrades the existing installation.
Oracle strongly recommends applying patches without delay, noting that attackers have historically targeted systems that remain unpatched after security fixes are released.
For organizations that cannot immediately apply the CSPU, the following compensating controls are worth considering:
- Audit low privilege ORDS accounts: Since exploitation requires low privilege credentials, minimize the number of active accounts with ORDS access. Disable or suspend accounts that do not require ORDS interaction.
- Network segmentation: Limit HTTPS access to ORDS endpoints to trusted internal networks. Deploy ORDS behind web application firewalls or reverse proxies capable of inspecting and filtering HTTPS requests to the Core component.
- Enhanced monitoring: Implement detailed logging for all HTTPS requests targeting ORDS Core REST APIs. Look for anomalous request patterns from low privilege accounts that exceed expected data access or modification patterns. The absence of availability impact means exploitation will not trigger uptime alerts, so data access monitoring is essential.
- Apply the full CSPU: Given the 11 ORDS vulnerabilities in this update (seven remotely exploitable without authentication), partial remediation leaves critical gaps. The CVSS 9.9 and 10.0 vulnerabilities in the same update are more severe than CVE-2026-35277 and should not be overlooked.
References
- NVD Entry for CVE-2026-35277
- Oracle Security Critical Patch Update Advisory, May 2026
- Oracle Critical Patch Updates and Security Alerts
- Introduction to Oracle REST Data Services (ORDS 24.2 Documentation)
- Oracle REST Data Services 26.1 Documentation
- Oracle REST Data Services Security Vulnerabilities in 2026 (Stack.Watch)
- Oracle Community Forums: Patches for ORDS?
- CISA Known Exploited Vulnerabilities Catalog
- NJCCIC 2026 Cyber Threat Assessment
- CVE-2025-30756 Detail (Prior ORDS Vulnerability)
- SLCyber: Uncovering Oracle Identity Manager Pre Auth RCE
- DB-Engines Database Popularity Ranking
- Oracle REST Data Services Product Page



