{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/ords/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.9,"id":"CVE-2026-35266"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["REST Data Services (24.2.0-26.1.0)"],"_cs_severities":["medium"],"_cs_tags":["vulnerability","oracle","ords"],"_cs_type":"advisory","_cs_vendors":["Oracle"],"content_html":"\u003cp\u003eCVE-2026-35266 describes a vulnerability affecting Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0. A low-privileged attacker with network access via HTTPS can exploit this vulnerability. The exploit is considered difficult and requires human interaction from a person other than the attacker to succeed. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data, unauthorized access to sensitive information, and a partial denial of service (DoS) condition. While the vulnerability resides in ORDS, successful attacks may impact additional products.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial network access to the target ORDS instance via HTTPS.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting a vulnerable endpoint within ORDS.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages a vulnerability in the ORDS core component.\u003c/li\u003e\n\u003cli\u003eThe attacker requires a separate user to interact with a crafted payload, potentially through social engineering or other deceptive methods.\u003c/li\u003e\n\u003cli\u003eUpon successful user interaction, the attacker gains unauthorized privileges within the ORDS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the elevated privileges to access, modify, or delete critical data within ORDS.\u003c/li\u003e\n\u003cli\u003eThe attacker may pivot to other systems or applications accessible through ORDS, expanding the scope of the attack.\u003c/li\u003e\n\u003cli\u003eThe attacker may trigger a partial denial of service (DoS) condition, disrupting ORDS functionality.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-35266 allows unauthorized creation, deletion, or modification access to critical data within Oracle REST Data Services. Furthermore, it grants unauthorized access to sensitive information and the potential to cause a partial denial of service, impacting the availability of ORDS. The scope change indicated implies that a successful attack against ORDS could lead to further compromise of interconnected systems and data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the latest patches and updates for Oracle REST Data Services to remediate CVE-2026-35266.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules to your SIEM to detect potential exploitation attempts (see below).\u003c/li\u003e\n\u003cli\u003eMonitor webserver logs for suspicious requests targeting ORDS endpoints, looking for unusual parameters or patterns, to proactively identify potential attacks.\u003c/li\u003e\n\u003cli\u003eImplement strong access controls and authentication mechanisms to restrict access to ORDS resources, mitigating the risk of low-privileged users exploiting the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T21:19:16Z","date_published":"2026-05-28T21:19:16Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-35266-ords/","summary":"A vulnerability exists in Oracle REST Data Services versions 24.2.0 to 26.1.0, where a low-privileged attacker with network access via HTTPS can, with human interaction, gain unauthorized data access, modification, and cause a partial denial of service.","title":"CVE-2026-35266: Oracle REST Data Services Vulnerability Allows Unauthorized Data Access and Modification","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-35266-ords/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.9,"id":"CVE-2026-46839"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["REST Data Services (24.2.0-26.1.0)"],"_cs_severities":["critical"],"_cs_tags":["cve","rce","oracle","ords"],"_cs_type":"advisory","_cs_vendors":["Oracle"],"content_html":"\u003cp\u003eCVE-2026-46839 is a critical vulnerability affecting Oracle REST Data Services (ORDS). Specifically, the 'Core' component in versions 24.2.0 through 26.1.0 is susceptible to a remote takeover. A low-privileged attacker with network access via HTTPS can exploit this vulnerability. The scope of impact extends beyond ORDS, potentially affecting additional products. This means a successful exploit can have cascading effects across an organization's infrastructure that relies on the affected ORDS instance. Given the potential for complete system takeover, patching and mitigation are critical.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an Oracle REST Data Services instance running a vulnerable version (24.2.0 - 26.1.0).\u003c/li\u003e\n\u003cli\u003eThe attacker establishes network access to the ORDS instance via HTTPS (port 443 or a custom HTTPS port).\u003c/li\u003e\n\u003cli\u003eThe attacker authenticates to the ORDS instance using low-privileged credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTPS request specifically targeting the vulnerable component within the ORDS core.\u003c/li\u003e\n\u003cli\u003eThe malicious request exploits the vulnerability, allowing the attacker to execute arbitrary code within the ORDS environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial foothold to escalate privileges within the ORDS instance.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control of the ORDS instance, potentially compromising sensitive data and configurations.\u003c/li\u003e\n\u003cli\u003eThe attacker pivots from the compromised ORDS instance to other connected systems, leveraging the \u0026quot;scope change\u0026quot; mentioned in the vulnerability description to compromise additional products.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-46839 can lead to a complete takeover of the Oracle REST Data Services instance. This can result in unauthorized access to sensitive data, modification of critical system configurations, and disruption of services. Due to the potential \u0026quot;scope change,\u0026quot; other products integrated with the compromised ORDS instance may also be affected, leading to a wider breach of confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately patch all Oracle REST Data Services instances to a version outside the vulnerable range (24.2.0 - 26.1.0) to address CVE-2026-46839.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious HTTPS requests targeting ORDS instances, specifically requests with unusual parameters or payloads, using a network intrusion detection system (NIDS).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect CVE-2026-46839 Exploitation Attempt\u003c/code\u003e to identify potential exploitation attempts within web server logs.\u003c/li\u003e\n\u003cli\u003eReview and restrict network access to ORDS instances, limiting access to only authorized users and systems, to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-28T21:18:46Z","date_published":"2026-05-28T21:18:46Z","id":"https://feed.craftedsignal.io/briefs/2026-05-oracle-ords-rce/","summary":"CVE-2026-46839 is an easily exploitable vulnerability in Oracle REST Data Services versions 24.2.0 through 26.1.0, allowing a low-privileged attacker with network access via HTTPS to compromise the service, potentially impacting other products and leading to a complete takeover.","title":"CVE-2026-46839: Oracle REST Data Services Vulnerability Allows Remote Takeover","url":"https://feed.craftedsignal.io/briefs/2026-05-oracle-ords-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Ords","version":"https://jsonfeed.org/version/1.1"}