A critical, easily exploitable vulnerability in Oracle REST Data Services allows low-privileged attackers to compromise the service and impact integrated systems.

This vulnerability affects the Core component of Oracle REST Data Services. It allows a low-privileged attacker with network access via HTTPS to successfully compromise the service, leading to full takeover and significant scope change impacts.

The CVSS score of 9.9 reflects the high potential for total system compromise. Although the attacker requires low-level privileges, the ability to achieve a full takeover and impact other products makes this a severe risk to organizational security and data integrity.

Immediate Action: Apply the patches detailed in the Oracle Critical Security Patch Update Advisory for May 2026.

Proactive Monitoring: Audit user access logs to identify anomalous behavior by low-privileged accounts or unauthorized attempts to access core service functions.

Compensating Controls: Implement strict network segmentation and ensure that access to REST services is restricted to authorized users and devices.

Public Exploit Available: False

Security teams must prioritize the application of the May 2026 patches. While the vulnerability requires low-level authentication, the potential for escalation to a full system takeover poses an unacceptable risk to enterprise environments.