CVE-2026-35266: Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. in Oracle Corporation Oracle REST Data Services
CVE-2026-35266 is a high-severity vulnerability in Oracle REST Data Services versions 24. 2. 0 through 26. 1. 0. It allows a low privileged attacker with network access via HTTPS to potentially compromise the service, but exploitation requires user interaction from someone other than the attacker. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data, unauthorized access to all accessible data, and partial denial of service of the Oracle REST Data Services. The vulnerability has a CVSS 3. 1 base score of 7. 9, indicating significant confidentiality, integrity, and availability impacts.
AI Analysis
Technical Summary
This vulnerability affects Oracle REST Data Services (Core component) versions 24.2.0 to 26.1.0. It is exploitable remotely over the network via HTTPS by a low privileged attacker, but requires user interaction from a third party. The vulnerability allows unauthorized creation, deletion, or modification of critical data, unauthorized access to all data accessible by Oracle REST Data Services, and can cause a partial denial of service. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L) reflects network attack vector, high attack complexity, low privileges required, user interaction required, scope change, and high confidentiality and integrity impact with low availability impact. Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which contains multiple security patches across products including Oracle REST Data Services. The vendor strongly recommends applying these patches promptly.
Potential Impact
Successful exploitation can result in unauthorized creation, deletion, or modification of critical data within Oracle REST Data Services, unauthorized access to all data accessible by the service, and partial denial of service conditions. The vulnerability affects confidentiality, integrity, and availability of data and services. The attack requires network access via HTTPS and user interaction from a person other than the attacker. There are no known exploits in the wild at this time.
Mitigation Recommendations
Oracle strongly recommends applying the May 2026 Critical Security Patch Update, which includes patches addressing this vulnerability. Customers should remain on actively supported versions and apply security patches without delay. Until patches are applied, risk may be reduced by blocking network protocols required by the attack or removing unnecessary privileges from users, but these are not long-term solutions and may impact functionality. Testing any mitigations on non-production systems is advised. Patch status is confirmed by the vendor advisory indicating availability of security patches in the May 2026 update.
CVE-2026-35266: Difficult to exploit vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle REST Data Services. in Oracle Corporation Oracle REST Data Services
Description
CVE-2026-35266 is a high-severity vulnerability in Oracle REST Data Services versions 24. 2. 0 through 26. 1. 0. It allows a low privileged attacker with network access via HTTPS to potentially compromise the service, but exploitation requires user interaction from someone other than the attacker. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data, unauthorized access to all accessible data, and partial denial of service of the Oracle REST Data Services. The vulnerability has a CVSS 3. 1 base score of 7. 9, indicating significant confidentiality, integrity, and availability impacts.
CVSS v3.1
Score 7.9high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Oracle REST Data Services (Core component) versions 24.2.0 to 26.1.0. It is exploitable remotely over the network via HTTPS by a low privileged attacker, but requires user interaction from a third party. The vulnerability allows unauthorized creation, deletion, or modification of critical data, unauthorized access to all data accessible by Oracle REST Data Services, and can cause a partial denial of service. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L) reflects network attack vector, high attack complexity, low privileges required, user interaction required, scope change, and high confidentiality and integrity impact with low availability impact. Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which contains multiple security patches across products including Oracle REST Data Services. The vendor strongly recommends applying these patches promptly.
Potential Impact
Successful exploitation can result in unauthorized creation, deletion, or modification of critical data within Oracle REST Data Services, unauthorized access to all data accessible by the service, and partial denial of service conditions. The vulnerability affects confidentiality, integrity, and availability of data and services. The attack requires network access via HTTPS and user interaction from a person other than the attacker. There are no known exploits in the wild at this time.
Mitigation Recommendations
Oracle strongly recommends applying the May 2026 Critical Security Patch Update, which includes patches addressing this vulnerability. Customers should remain on actively supported versions and apply security patches without delay. Until patches are applied, risk may be reduced by blocking network protocols required by the attack or removing unnecessary privileges from users, but these are not long-term solutions and may impact functionality. Testing any mitigations on non-production systems is advised. Patch status is confirmed by the vendor advisory indicating availability of security patches in the May 2026 update.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-04-01T20:03:40.835Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspumay2026.html","vendor":"Oracle"}]
Threat ID: 6a18aa29e29bf47b5027bd82
Added to database: 5/28/2026, 8:48:41 PM
Last enriched: 5/28/2026, 9:21:11 PM
Last updated: 5/29/2026, 8:18:35 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.