ZeroPath at Black Hat USA 2026

Quick Look: CVE-2026-46833 — Oracle Database Net Service TLS Takeover with Scope Change

A brief summary of CVE-2026-46833, a CVSS 9.0 vulnerability in Oracle Database Net Service that allows unauthenticated attackers to achieve full takeover via TLS, with impact extending beyond the vulnerable component to additional products.

CVE Analysis

9 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

Quick Look: CVE-2026-46833 — Oracle Database Net Service TLS Takeover with Scope Change
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Oracle Database's networking layer, the component that every client connection passes through before reaching the database engine, contains a critical vulnerability that allows unauthenticated attackers to achieve full takeover via TLS and then pivot to impact additional products beyond the vulnerable component itself. CVE-2026-46833, disclosed in Oracle's inaugural monthly Critical Security Patch Update on May 28, 2026, carries a CVSS 3.1 score of 9.0 and affects not only database servers but also client-only installations, meaning the remediation footprint extends well beyond the database tier into application servers, web servers, and developer workstations.

Technical Information

The Vulnerable Component: Oracle Net Services

Oracle Net Services is the networking foundation of Oracle Database. It manages all aspects of client-to-server and server-to-server connectivity: session establishment, authentication negotiation, encryption via TLS/SSL, and data transport. Every Oracle Database deployment relies on Net Services, and the Oracle listener (typically on TCP port 1521) is the entry point for all incoming connections. A vulnerability at this layer is particularly consequential because it sits in the path of every database interaction.

CVSS Vector Decomposition

The full CVSS 3.1 vector for CVE-2026-46833 is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H. Breaking this down:

CVSS MetricValueSignificance
Attack Vector (AV)NetworkExploitable remotely over the network
Attack Complexity (AC)HighRequires specialized conditions or knowledge
Privileges Required (PR)NoneNo authentication credentials needed
User Interaction (UI)NoneNo user action required
Scope (S)ChangedImpact extends beyond the vulnerable component
Confidentiality (C)HighComplete information disclosure possible
Integrity (I)HighComplete data modification possible
Availability (A)HighComplete service disruption possible

The Attack Complexity: High rating is worth careful consideration. While it raises the bar for exploitation compared to easily exploitable flaws, it does not eliminate the threat from determined or well-resourced actors. The vulnerability was discovered by DEVCORE's HexRabbit, a researcher at a firm that specializes in enterprise network software vulnerabilities. This professional grade discovery suggests the conditions for exploitation may be more achievable in practice than the raw CVSS metric implies, particularly for sophisticated threat actors.

The Scope Change Problem

The Scope: Changed designation is the most operationally significant aspect of this CVE. In CVSS 3.1, a scope change means the vulnerability's impact crosses trust boundaries, allowing an attacker to affect resources beyond the security authority of the vulnerable component. Oracle's advisory states that successful attacks may "significantly impact additional products." In concrete terms, compromising Net Service could cascade to the database server process itself, connected applications, or other systems that interact with the database over TLS. This makes CVE-2026-46833 not just a database vulnerability but a potential pivot point for broader infrastructure compromise.

TLS as the Attack Surface

The attack is conducted over the TLS protocol. Because the vulnerability requires no authentication and no user interaction, an attacker needs only network reachability to an Oracle Database listener with TLS enabled. The attack surface therefore includes any network path that can reach the listener port. The specific exploitation mechanism (whether this involves a flaw in the TLS handshake, session management, certificate validation, or another aspect of the TLS implementation) has not been publicly disclosed by Oracle, consistent with their policy of withholding detailed exploit information.

Systemic Weakness: Three Net Service TLS Vulnerabilities

CVE-2026-46833 was not disclosed in isolation. Two additional Net Service vulnerabilities, CVE-2026-46834 and CVE-2026-46835, were patched in the same May 2026 CSPU. All three are remotely exploitable without authentication and all target TLS communications. The Oracle Database Server product family received exactly 3 new security patches in this CSPU, and all three address the same component and protocol. The simultaneous disclosure of three distinct vulnerabilities in the same TLS implementation strongly suggests a systemic issue that warranted focused remediation, rather than three unrelated bugs.

Client-Side Exposure

A critical detail that organizations may overlook: the Oracle advisory confirms this vulnerability also affects client-only installations. Systems running Oracle Instant Client or the full Oracle Client (without a database server) are vulnerable. These are commonly deployed on application servers, web servers, middleware tiers, and developer workstations. The remediation scope is therefore significantly larger than "patch the database servers."

Affected Systems and Versions

The following are affected:

  • Oracle Database Server versions 23.4.0 through 23.26.2
  • Client-only installations of Oracle Database (Oracle Instant Client, full Oracle Client) for the same version range
  • Any deployment where TLS is enabled for Oracle Net Services connectivity

The vulnerability is accessible via the Oracle Database listener, typically on TCP port 1521, when TLS is configured.

Vendor Security History

Oracle's security track record provides important context for evaluating CVE-2026-46833.

The April 2026 Critical Patch Update addressed 481 security vulnerabilities across Oracle's product portfolio, with approximately 78% of those patches addressing non-Oracle CVEs in bundled open source components. Oracle Database Server itself received 8 new security updates in that release, with a maximum CVSS of 7.5. Multiple product families had vulnerabilities scoring 9.0 or higher.

Oracle's recent breach history underscores the consequences of delayed patching. In November 2025, attackers exploited Oracle's E-Business Suite via outdated servers, exfiltrating data from nearly 30 major corporations. A separate 2025 breach of Oracle Health's legacy Cerner systems compromised patient data across at least 16 health systems, with notifications not sent until early 2026. FINRA issued a cybersecurity alert regarding an alleged large scale data breach possibly affecting Oracle Cloud services at member firms and third party providers.

Oracle itself acknowledges the pattern, stating it "continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches," with attackers often succeeding "because targeted customers had failed to apply available Oracle patches."

The transition to monthly CSPUs, beginning with the May 28, 2026 release that includes the fix for CVE-2026-46833, represents Oracle's response to this accelerating threat environment. Oracle's Integrated Cyber Center stated that "CSPUs provide targeted fixes for critical vulnerabilities in a smaller, more focused format, allowing customers to address high priority issues without waiting for the next quarterly release."

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization