CVE-2026-46775 - Oracle REST Data Services Takeover via Network Access

CVE-2026-46775 is a critical vulnerability affecting Oracle REST Data Services (ORDS). Specifically, the Core component of ORDS versions 24.2.0 through 26.1.0 are susceptible. An attacker with low privileges and network access via HTTPS can exploit this vulnerability to gain complete control over the ORDS instance. While the vulnerability resides within ORDS, successful exploitation could lead to a scope change, impacting other products integrated with or dependent upon ORDS. This could lead to unauthorized access to sensitive data, modification of critical configurations, and disruption of services. Due to the wide usage of ORDS in enterprise environments for RESTful API development and deployment, this vulnerability poses a significant risk to organizations.

Attack Chain

1. Attacker gains network access to the target Oracle REST Data Services instance via HTTPS.
2. Attacker authenticates to ORDS with low-privileged credentials.
3. Attacker crafts a malicious HTTPS request exploiting CVE-2026-46775, targeting the Core component.
4. The crafted request bypasses input validation and security checks.
5. The vulnerability allows the attacker to execute arbitrary code within the ORDS server context.
6. Attacker leverages the code execution to escalate privileges within the ORDS instance.
7. Attacker gains full control over the Oracle REST Data Services instance.
8. Attacker leverages the compromised ORDS instance to impact other connected products, exfiltrate sensitive data or disrupt services.

Impact

Successful exploitation of CVE-2026-46775 results in a complete takeover of the Oracle REST Data Services instance. This can lead to unauthorized access to sensitive data managed by ORDS, modification of application configurations, and disruption of services provided through ORDS. Due to the potential scope change mentioned in the vulnerability description, successful attacks could impact other products integrated with ORDS, leading to further data breaches, service outages, and financial losses. The CVSS 3.1 base score of 9.9 indicates the high severity and potential for widespread impact.

Recommendation

• Apply the security patch or upgrade to a non-vulnerable version of Oracle REST Data Services as soon as possible.
• Monitor network traffic for suspicious HTTPS requests targeting Oracle REST Data Services endpoints.
• Implement network segmentation to limit the impact of a successful ORDS compromise on other systems, based on the description of potential scope change.
• Deploy the provided Sigma rules to detect potential exploitation attempts (see rules section).
• Review and restrict network access to ORDS instances, based on the network access requirements.