Introduction
Oracle REST Data Services just received a maximum severity CVSS 10.0 vulnerability that allows unauthenticated attackers to fully take over ORDS instances via HTTPS, with confirmed scope change meaning connected Oracle Databases and downstream applications are also at risk. Disclosed on May 28, 2026, as part of Oracle's first ever Critical Security Patch Update (CSPU), CVE-2026-46840 affects every supported ORDS version from 24.2.0 through 26.1.0 and sits in the Backend-as-a-Service component that many organizations expose directly to the internet.
Technical Information
The Vulnerable Component
CVE-2026-46840 targets the Backend-as-a-Service (BaaS) component within Oracle REST Data Services. ORDS serves as the HTTPS Web Gateway for Oracle Database, providing REST APIs for data and databases, Oracle Database Actions, Oracle APEX access, and the Oracle Database API for MongoDB. The BaaS component specifically provides backend services for mobile and web applications, enabling developers to define REST APIs backed by SQL and PL/SQL and to REST-enable tables, views, and stored procedures.
Because BaaS endpoints are designed to serve external client applications, they are typically among the most exposed parts of an ORDS deployment, often accessible from the public internet.
CVSS 3.1 Vector Analysis
The full CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, yielding a perfect 10.0 base score. Here is what each metric tells us:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over HTTPS |
| Attack Complexity | Low | No specialized conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | None | Fully automatable, no victim action |
| Scope | Changed | Impacts extend beyond ORDS to other products |
| Confidentiality | High | Total information disclosure |
| Integrity | High | Complete system compromise |
| Availability | High | Full denial of service capability |
Scope Change: Why This Matters Beyond ORDS
The Changed scope (S:C) designation is the most architecturally significant aspect of this vulnerability. It means that exploiting ORDS can compromise additional products or systems connected to it. Given ORDS's role as a gateway between external clients and Oracle Databases, the downstream impact likely extends to the database tier, any applications relying on ORDS for data access, and potentially adjacent systems in the same network segment.
This is not a theoretical concern. ORDS by design has privileged connectivity to Oracle Database instances, and a full takeover of ORDS could grant an attacker the same level of database access that ORDS itself holds.
Attack Surface and Exploitation Characteristics
The vulnerability is exploitable via HTTPS, the primary protocol ORDS uses for all its services. Oracle describes it as "easily exploitable," which in Oracle's risk matrix taxonomy indicates that successful attack requires minimal effort and no specialized conditions. An attacker needs only network connectivity to the ORDS endpoint; no credentials, no prior access, and no user interaction are required.
The BaaS component processes requests from client applications through exposed API endpoints. The attack surface likely involves these unauthenticated request handling paths, though the specific vulnerability class (SQL injection, deserialization, authentication bypass, or otherwise) has not been publicly disclosed. No CWE ID has been assigned, and no proof of concept code has been published.
What Remains Unknown
Several important technical details have not been disclosed:
- The precise vulnerability type and root cause
- CWE classification
- Proof of concept or exploit code
- The exact remediated ORDS version number (though the May 2026 CSPU includes the fix)
The vulnerability was reported to Oracle by Xchglabs, an external security research entity, indicating active third party auditing of ORDS.
Affected Systems and Versions
All supported versions of Oracle REST Data Services are affected. The vulnerable version range is 24.2.0 through 26.1.0, which includes:
- 24.2.0, 24.2.1
- 24.3.0, 24.3.1
- 24.4.0
- 25.1.0, 25.2.0, 25.3.0, 25.4.0
- 26.1.0
Any ORDS deployment running a version within this range and exposing the Backend-as-a-Service component is vulnerable. Deployments with ORDS endpoints accessible from the internet are at the highest risk given the unauthenticated, network-based attack vector.
Vendor Security History
Oracle REST Data Services has seen a notable escalation in vulnerability disclosures throughout 2026:
| Release | ORDS Patches | Remote Without Auth |
|---|---|---|
| October 2025 CPU | 1 | 0 |
| January 2026 CPU | 0 (third party only) | 0 |
| April 2026 CPU | 2 | 2 |
| May 2026 CSPU | 11 | 7 |
The May 2026 CSPU represents a five-fold increase in ORDS patches compared to the prior quarter, suggesting intensified security research scrutiny on the product. Seven of the 11 patches address vulnerabilities that are remotely exploitable without authentication.
This pattern is worth watching. In March 2025, an Oracle Cloud breach exploited CVE-2021-35587, an older vulnerability in Oracle Access Manager. Oracle confirmed the breach occurred via outdated, unpatched servers rather than cloud infrastructure vulnerabilities. That incident demonstrated the real world consequences of delayed patching in Oracle environments and the potential for scope escalation attacks where a vulnerability in one Oracle product is leveraged to compromise adjacent systems.
The introduction of the CSPU designation itself, replacing the standard quarterly CPU cadence for this release, signals that Oracle considered the severity of these findings significant enough to warrant an out-of-cycle or specially designated release.
References
- NVD: CVE-2026-46840
- Oracle Security Critical Patch Update Advisory, May 2026
- Text Form of Oracle CSPU May 2026 Risk Matrices
- Oracle Critical Patch Updates Portal
- Oracle REST Data Services Product Page
- Introduction to Oracle REST Data Services (Documentation)
- ORDS Release Notes 26.1.0
- Oracle REST Data Services Security Vulnerabilities in 2026 (Stack.Watch)
- Oracle Critical Patch Update Advisory, April 2026
- Oracle Critical Patch Update Advisory, January 2026
- Oracle Critical Patch Update Advisory, October 2025
- Oracle Cloud Breach Exploiting CVE-2021-35587 (Orca Security)
- Oracle Confirms Data Breach via Outdated Servers (Techzine)
- New York State ITS: Oracle Quarterly Critical Patches, April 2026
- CVE-2026-3910: Chrome V8 Zero-Day Analysis (SOC Prime)



