ZeroPath at Black Hat USA 2026

Oracle REST Data Services CVE-2026-46840: Overview of a CVSS 10.0 Unauthenticated Takeover Vulnerability

A brief summary of CVE-2026-46840, a maximum severity (CVSS 10.0) vulnerability in Oracle REST Data Services that allows unauthenticated remote takeover via HTTPS, with scope change impacting connected databases and applications.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-28

Oracle REST Data Services CVE-2026-46840: Overview of a CVSS 10.0 Unauthenticated Takeover Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Oracle REST Data Services just received a maximum severity CVSS 10.0 vulnerability that allows unauthenticated attackers to fully take over ORDS instances via HTTPS, with confirmed scope change meaning connected Oracle Databases and downstream applications are also at risk. Disclosed on May 28, 2026, as part of Oracle's first ever Critical Security Patch Update (CSPU), CVE-2026-46840 affects every supported ORDS version from 24.2.0 through 26.1.0 and sits in the Backend-as-a-Service component that many organizations expose directly to the internet.

Technical Information

The Vulnerable Component

CVE-2026-46840 targets the Backend-as-a-Service (BaaS) component within Oracle REST Data Services. ORDS serves as the HTTPS Web Gateway for Oracle Database, providing REST APIs for data and databases, Oracle Database Actions, Oracle APEX access, and the Oracle Database API for MongoDB. The BaaS component specifically provides backend services for mobile and web applications, enabling developers to define REST APIs backed by SQL and PL/SQL and to REST-enable tables, views, and stored procedures.

Because BaaS endpoints are designed to serve external client applications, they are typically among the most exposed parts of an ORDS deployment, often accessible from the public internet.

CVSS 3.1 Vector Analysis

The full CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, yielding a perfect 10.0 base score. Here is what each metric tells us:

MetricValueImplication
Attack VectorNetworkExploitable remotely over HTTPS
Attack ComplexityLowNo specialized conditions required
Privileges RequiredNoneNo authentication needed
User InteractionNoneFully automatable, no victim action
ScopeChangedImpacts extend beyond ORDS to other products
ConfidentialityHighTotal information disclosure
IntegrityHighComplete system compromise
AvailabilityHighFull denial of service capability

Scope Change: Why This Matters Beyond ORDS

The Changed scope (S:C) designation is the most architecturally significant aspect of this vulnerability. It means that exploiting ORDS can compromise additional products or systems connected to it. Given ORDS's role as a gateway between external clients and Oracle Databases, the downstream impact likely extends to the database tier, any applications relying on ORDS for data access, and potentially adjacent systems in the same network segment.

This is not a theoretical concern. ORDS by design has privileged connectivity to Oracle Database instances, and a full takeover of ORDS could grant an attacker the same level of database access that ORDS itself holds.

Attack Surface and Exploitation Characteristics

The vulnerability is exploitable via HTTPS, the primary protocol ORDS uses for all its services. Oracle describes it as "easily exploitable," which in Oracle's risk matrix taxonomy indicates that successful attack requires minimal effort and no specialized conditions. An attacker needs only network connectivity to the ORDS endpoint; no credentials, no prior access, and no user interaction are required.

The BaaS component processes requests from client applications through exposed API endpoints. The attack surface likely involves these unauthenticated request handling paths, though the specific vulnerability class (SQL injection, deserialization, authentication bypass, or otherwise) has not been publicly disclosed. No CWE ID has been assigned, and no proof of concept code has been published.

What Remains Unknown

Several important technical details have not been disclosed:

  • The precise vulnerability type and root cause
  • CWE classification
  • Proof of concept or exploit code
  • The exact remediated ORDS version number (though the May 2026 CSPU includes the fix)

The vulnerability was reported to Oracle by Xchglabs, an external security research entity, indicating active third party auditing of ORDS.

Affected Systems and Versions

All supported versions of Oracle REST Data Services are affected. The vulnerable version range is 24.2.0 through 26.1.0, which includes:

  • 24.2.0, 24.2.1
  • 24.3.0, 24.3.1
  • 24.4.0
  • 25.1.0, 25.2.0, 25.3.0, 25.4.0
  • 26.1.0

Any ORDS deployment running a version within this range and exposing the Backend-as-a-Service component is vulnerable. Deployments with ORDS endpoints accessible from the internet are at the highest risk given the unauthenticated, network-based attack vector.

Vendor Security History

Oracle REST Data Services has seen a notable escalation in vulnerability disclosures throughout 2026:

ReleaseORDS PatchesRemote Without Auth
October 2025 CPU10
January 2026 CPU0 (third party only)0
April 2026 CPU22
May 2026 CSPU117

The May 2026 CSPU represents a five-fold increase in ORDS patches compared to the prior quarter, suggesting intensified security research scrutiny on the product. Seven of the 11 patches address vulnerabilities that are remotely exploitable without authentication.

This pattern is worth watching. In March 2025, an Oracle Cloud breach exploited CVE-2021-35587, an older vulnerability in Oracle Access Manager. Oracle confirmed the breach occurred via outdated, unpatched servers rather than cloud infrastructure vulnerabilities. That incident demonstrated the real world consequences of delayed patching in Oracle environments and the potential for scope escalation attacks where a vulnerability in one Oracle product is leveraged to compromise adjacent systems.

The introduction of the CSPU designation itself, replacing the standard quarterly CPU cadence for this release, signals that Oracle considered the severity of these findings significant enough to warrant an out-of-cycle or specially designated release.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization