Introduction
Oracle REST Data Services (ORDS) sits at one of the most sensitive positions in the Oracle technology stack: it is the HTTPS gateway between external clients and the Oracle Database, translating REST requests into database operations via an embedded JDBC driver. A newly disclosed vulnerability in the ORDS Core component, CVE-2026-46775, allows any low privileged authenticated user to achieve complete takeover of the ORDS instance, with scope change enabling compromise of connected databases, APEX applications, and downstream services.
ORDS is a Java Enterprise Edition based data service that exposes more than 500 REST APIs for database administration and lifecycle management. It supports deployment on Oracle WebLogic Server, Apache Tomcat, or in standalone mode, and powers Database Actions (formerly SQL Developer Web), the Oracle API for MongoDB, and pluggable database lifecycle operations. For organizations using Oracle Database in any capacity, ORDS is frequently the primary interface between their applications and their data.
This CVE arrives as part of Oracle's May 2026 Critical Security Patch Update, which addresses 11 security patches for ORDS alone, including one vulnerability scoring a perfect CVSS 10.0 and two scoring 9.9. The concentration of critical vulnerabilities in a single patch cycle for this product is notable and warrants careful attention from any organization running ORDS.
Technical Information
Vulnerability Characteristics
CVE-2026-46775 affects the Core component of Oracle REST Data Services, versions 24.2.0 through 26.1.0. The Core component is the central processing engine responsible for request routing, authentication, privilege enforcement, and the translation of REST requests into database operations. Oracle has not disclosed a CWE classification or specific vulnerability mechanism, limiting our ability to characterize the root cause beyond what the CVSS vector and advisory language reveal.
The CVSS 3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:
| CVSS Metric | Value | Significance |
|---|---|---|
| Attack Vector (AV) | Network | Exploitable remotely over HTTPS |
| Attack Complexity (AC) | Low | No specialized conditions or race conditions needed |
| Privileges Required (PR) | Low | Any low privileged authenticated user can exploit |
| User Interaction (UI) | None | No victim action required |
| Scope (S) | Changed | Impact extends beyond ORDS to additional products |
| Confidentiality (C) | High | Complete information disclosure possible |
| Integrity (I) | High | Complete data modification possible |
| Availability (A) | High | Complete denial of service possible |
Oracle's risk matrix confirms that remote exploitation does not require authentication bypass; the attacker must have at least low level credentials but nothing more. The advisory describes the vulnerability as "easily exploitable," indicating no race conditions, special configurations, or exotic payloads are required.
ORDS Architecture and Attack Surface
Understanding why this vulnerability is particularly dangerous requires understanding where ORDS sits architecturally. ORDS functions as the HTTPS Web Gateway for Oracle Database, providing an alternative to Oracle HTTP Server and mod_plsql. It processes HTTP/HTTPS requests and translates them into database operations via an embedded JDBC driver without requiring a separate Oracle home. The ORDS architecture relies on database users with highly restricted grants, preventing the middleware tier from executing operations that exceed its defined scope.
ORDS supports multiple authentication mechanisms including basic authentication, OAuth 2.0, and JSON Web Tokens (JWTs), with integration to OCI Identity and Access Management (IAM) for role based access control.
Scope Change Analysis
The S:C (Scope Changed) designation is the most architecturally significant aspect of this vulnerability. Per the CVSS 3.1 specification, Scope Changed indicates that the vulnerable component (ORDS Core) and the impacted component are in different security authority domains. The NVD description states explicitly: "While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services."
The term "takeover" indicates the attacker gains full control of the ORDS instance. Through the scope change, the following additional resources are potentially compromised:
- Underlying Oracle Database instances connected via JDBC
- Applications consuming ORDS REST APIs
- Oracle APEX applications served through ORDS
- Database Actions (SQL Developer Web) functionality
- The Oracle API for MongoDB translation layer within ORDS
- Connected microservices and CI/CD pipeline integrations
When the gateway is compromised, the trust relationships it mediates are also compromised. ORDS sits at a privilege boundary between untrusted network traffic and trusted database operations. An attacker who takes over this boundary effectively controls what the database trusts.
Attack Flow
Based on the CVSS metrics and advisory details, the attack flow would proceed as follows:
- The attacker obtains low privileged credentials for an ORDS endpoint. This could be any authenticated account; administrative privileges are not required.
- The attacker crafts malicious HTTPS requests targeting the Core component. The low attack complexity (AC:L) and Oracle's "easily exploitable" designation indicate this does not require sophisticated payloads.
- Successful exploitation results in takeover of the ORDS instance, granting the attacker full control over the Core component's request routing, authentication, and privilege enforcement mechanisms.
- Through the scope change, the attacker can leverage the compromised ORDS instance to impact connected database instances and downstream services that trust ORDS as a legitimate gateway.
Oracle does not disclose detailed technical information about the vulnerability mechanism, stating that it provides "the risk matrix information so that customers may conduct their own risk analysis." No proof of concept exploit code has been published, and no indicators of compromise specific to this CVE are available.
Companion Vulnerabilities in the May 2026 CSPU
CVE-2026-46775 does not exist in isolation. The May 2026 CSPU addresses 11 ORDS vulnerabilities, and the full picture of what was patched provides important context:
| CVE ID | CVSS Score | Component |
|---|---|---|
| CVE-2026-46840 | 10.0 | Backend as a Service |
| CVE-2026-46775 | 9.9 | Core |
| CVE-2026-46839 | 9.9 | Core |
| CVE-2026-2332 | 9.1 | Core (Eclipse Jetty) |
| CVE-2026-35277 | 8.1 | Core |
| CVE-2026-35266 | 7.9 | Core |
| CVE-2026-46829 | 7.5 | Mongoapi |
| CVE-2026-46842 | 5.3 | Core |
| CVE-2026-46843 | 5.3 | Core |
| CVE-2026-46841 | 5.3 | General |
| CVE-2026-46830 | 5.3 | Mongoapi |
Seven of these 11 vulnerabilities may be remotely exploitable. The patch for CVE-2026-2332 also addresses CVE-2026-5795. The volume and severity of these patches suggest ORDS has been under concentrated vulnerability research, and the Core component in particular appears to have systemic issues that merit long term monitoring.
Affected Systems and Versions
Oracle REST Data Services versions 24.2.0 through 26.1.0 are affected. This encompasses all supported ORDS releases across that version range.
ORDS can be deployed in multiple configurations:
- Standalone mode
- On Oracle WebLogic Server
- On Apache Tomcat
All deployment modes using affected versions are vulnerable, as the vulnerability is in the Core component which is common to all deployment topologies. Any ORDS instance accessible over HTTPS from a network where an attacker holds low privileged credentials is within the attack surface.
Vendor Security History
The ORDS Core component has a documented pattern of scope change vulnerabilities across multiple Oracle patch cycles:
| Advisory Cycle | Notable ORDS CVEs | Key Details |
|---|---|---|
| July 2025 CPU | Scope change ORDS CVEs | CISA bulletin noted "attacks may significantly impact additional products (scope change)" |
| October 2025 CPU | CVE-2025-30756 | Unauthenticated attacker via HTTP; remotely exploitable without authentication |
| April 2026 CPU | CVE-2026-23864 | ORDS Core vulnerability addressed |
| May 2026 CSPU | CVE-2026-46775, CVE-2026-46839, CVE-2026-46840 | Three CVEs scoring 9.9 or above; one achieves maximum CVSS 10.0 |
CVE-2025-30756 is a particularly relevant precedent. That vulnerability allowed an unauthenticated attacker with network access via HTTP to compromise ORDS with scope change. The critical difference is that CVE-2025-30756 required no authentication at all (PR:N), while CVE-2026-46775 requires low privileged access (PR:L). Both share the scope change characteristic and the potential for complete system takeover, indicating a persistent class of vulnerability where the ORDS Core's trust boundary with backend databases can be exploited to escalate impact beyond the ORDS application itself.
Beyond ORDS specifically, Oracle's broader security posture has been under pressure. In early 2025, Oracle confirmed a significant data breach affecting Oracle Cloud Infrastructure, with a threat actor claiming access to 6 million records including single sign on credentials, LDAP passwords, OAuth2 keys, and tenant data. CISA issued a security alert, and approximately 80 hospitals may have been affected through the Oracle Health data breach. In December 2025, threat actors were observed actively exploiting Oracle Identity Manager vulnerabilities (CVE-2026-21992), which involved REST web service vulnerabilities in Oracle Fusion Middleware, a pattern structurally similar to ORDS HTTPS based attacks.
Beginning in May 2026, Oracle moved from a quarterly Critical Patch Update cadence to a monthly Critical Security Patch Update release cycle. This transition, designed to enable faster protection against emerging threats, itself signals that the threat tempo against Oracle products has accelerated. Organizations should adjust their patch management schedules accordingly.
Threat Intelligence
As of the NVD publication date of May 28, 2026, there is no confirmed evidence of CVE-2026-46775 being actively exploited in the wild. No CISA Known Exploited Vulnerabilities (KEV) catalog entry exists for this CVE, and no security vendor reports specifically reference active exploitation.
However, several factors create an elevated exploitation risk profile:
Credential availability from prior breaches. The 2025 OCI breach resulted in stolen OAuth2 keys, SSO credentials, and LDAP passwords. These credentials could potentially provide the low privileged access (PR:L) that CVE-2026-46775 requires. Organizations that were affected by the OCI breach and have not rotated all credentials face compounded risk.
Active targeting of Oracle REST interfaces. The exploitation of Oracle Identity Manager REST web service vulnerabilities in late 2025 demonstrates that threat actors are actively targeting Oracle's REST facing middleware. The structural similarity between those attacks and ORDS HTTPS based exploitation is worth noting.
Patch cluster reverse engineering risk. When 11 vulnerabilities in the same product are disclosed simultaneously, including three at CVSS 9.9 or above, the published patches themselves become a resource for threat actors. Differential analysis of pre and post patch binaries can reveal vulnerability mechanisms, and the concentration of critical fixes in ORDS makes it a high value target for such analysis.
No targeted detection capability. The absence of a CWE classification, specific vulnerability mechanism disclosure, or published indicators of compromise means organizations cannot create targeted detection rules or WAF signatures. This information asymmetry, where exploitation is straightforward but targeted defense is difficult, tilts the risk calculus strongly toward immediate patching.
Mitigation Strategies
Apply the May 2026 CSPU
The definitive mitigation is to apply the May 2026 Critical Security Patch Update for Oracle REST Data Services. Oracle states that the CSPU "contains 11 new security patches" for ORDS and "Oracle strongly recommends customers apply patches without delay." This is the only remedy that addresses the root cause.
Interim Measures
For organizations that cannot immediately patch, Oracle's advisory provides general interim guidance: "blocking network protocols or removing privileges may help reduce risk, but these are not long term solutions."
Specific interim actions based on ORDS architecture:
- Restrict HTTPS endpoint exposure. Deploy ORDS behind a reverse proxy or load balancer with strict access control lists, limiting exposure to only required internal networks.
- Reduce authenticated accounts. Since the vulnerability requires low privileged access, minimizing the number of accounts with any level of ORDS access directly reduces the pool of potential attackers.
- Audit database user grants. ORDS documentation emphasizes that the architecture relies on database users with highly restricted grants. Verify that all database user accounts ORDS connects as have minimal required privileges.
- Enforce strong authentication. Verify that no ORDS endpoints allow unauthenticated access that could be leveraged as a stepping stone. Ensure OAuth 2.0 or JWT authentication is enforced across all endpoints.
- Monitor access logs. Implement logging and monitoring for anomalous HTTPS requests to ORDS endpoints, particularly requests from low privileged accounts exhibiting unusual patterns such as accessing administrative APIs.
Architectural Considerations
The recurrence of scope change vulnerabilities in the ORDS Core component across multiple patch cycles suggests that the Core's position as a gateway between external HTTPS requests and internal database operations creates inherent privilege boundary challenges. Organizations with high security requirements should evaluate whether additional isolation layers (network segmentation, dedicated ORDS instances per security zone, or database firewall products) can limit the blast radius of future ORDS Core vulnerabilities.
References
- NVD: CVE-2026-46775
- Oracle Security Critical Patch Update Advisory, May 2026
- Oracle Critical Patch Updates and Security Alerts
- Introduction to Oracle REST Data Services
- Oracle REST Data Services (ORDS) Product Page
- Oracle REST Data Services Best Practices
- NVD: CVE-2025-30756 (Prior ORDS Scope Change Vulnerability)
- CISA Vulnerability Summary, Week of July 14, 2025
- Oracle Critical Patch Update Advisory, April 2026
- Oracle Critical Patch Update Advisory, October 2025
- Threat Actors Actively Exploiting Oracle Identity Manager
- Threat Actor in Oracle Cloud Breach (CybersecurityDive)
- 80 Hospitals May Have Been Affected by Oracle Health Data Breach
- Hacker Linked to Oracle Cloud Intrusion Threatens to Sell Stolen Data



