CVE-2026-35266: Oracle REST Data Services Vulnerability Allows Unauthorized Data Access and Modification

CVE-2026-35266 describes a vulnerability affecting Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0. A low-privileged attacker with network access via HTTPS can exploit this vulnerability. The exploit is considered difficult and requires human interaction from a person other than the attacker to succeed. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data, unauthorized access to sensitive information, and a partial denial of service (DoS) condition. While the vulnerability resides in ORDS, successful attacks may impact additional products.

Attack Chain

1. The attacker gains initial network access to the target ORDS instance via HTTPS.
2. The attacker crafts a malicious request targeting a vulnerable endpoint within ORDS.
3. The attacker leverages a vulnerability in the ORDS core component.
4. The attacker requires a separate user to interact with a crafted payload, potentially through social engineering or other deceptive methods.
5. Upon successful user interaction, the attacker gains unauthorized privileges within the ORDS environment.
6. The attacker leverages the elevated privileges to access, modify, or delete critical data within ORDS.
7. The attacker may pivot to other systems or applications accessible through ORDS, expanding the scope of the attack.
8. The attacker may trigger a partial denial of service (DoS) condition, disrupting ORDS functionality.

Impact

Successful exploitation of CVE-2026-35266 allows unauthorized creation, deletion, or modification access to critical data within Oracle REST Data Services. Furthermore, it grants unauthorized access to sensitive information and the potential to cause a partial denial of service, impacting the availability of ORDS. The scope change indicated implies that a successful attack against ORDS could lead to further compromise of interconnected systems and data.

Recommendation

• Apply the latest patches and updates for Oracle REST Data Services to remediate CVE-2026-35266.
• Deploy the Sigma rules to your SIEM to detect potential exploitation attempts (see below).
• Monitor webserver logs for suspicious requests targeting ORDS endpoints, looking for unusual parameters or patterns, to proactively identify potential attacks.
• Implement strong access controls and authentication mechanisms to restrict access to ORDS resources, mitigating the risk of low-privileged users exploiting the vulnerability.