An easily exploitable, unauthenticated vulnerability in Oracle REST Data Services allows remote attackers to compromise the service and potentially impact additional connected products.

This vulnerability resides in the Backend-as-a-Service component. It allows an unauthenticated attacker with network access via HTTPS to fully compromise the service, resulting in a complete takeover with high impacts on confidentiality, integrity, and availability.

With a CVSS score of 10.0, this vulnerability represents a critical risk to business operations. A successful attack can lead to total unauthorized control of the affected service, potentially enabling access to sensitive data and the ability to pivot to other integrated products through the service's elevated access.

Immediate Action: Apply the relevant patches provided in the Oracle Critical Security Patch Update Advisory for May 2026.

Proactive Monitoring: Review web server and application logs for suspicious HTTPS requests or anomalous traffic patterns directed at REST service endpoints.

Compensating Controls: Deploy a Web Application Firewall (WAF) with updated rules to detect and block malicious payloads targeting REST API endpoints.

Public Exploit Available: False

Organizations should immediately review their Oracle software inventory and apply the May 2026 security updates. The ease of exploitation by unauthenticated attackers necessitates urgent patching to prevent potential data breaches or service takeovers.