This vulnerability affects the Core component of Oracle REST Data Services versions 24.2.0 to 26.1.0. It is easily exploitable by an attacker with low privileges who has network access over HTTPS, allowing compromise of the Oracle REST Data Services instance. The vulnerability has a CVSS 3.1 base score of 9.9, indicating critical impact on confidentiality, integrity, and availability, and includes scope change affecting additional Oracle products. Oracle has published a Critical Security Patch Update in May 2026 that addresses this vulnerability. The advisory emphasizes the importance of applying patches promptly and notes that temporary mitigations such as blocking network protocols or removing privileges may reduce risk but are not substitutes for patching.

Successful exploitation can lead to complete takeover of Oracle REST Data Services, impacting confidentiality, integrity, and availability of the service. The vulnerability also has scope change implications, potentially affecting additional Oracle products beyond REST Data Services. There are no known exploits in the wild currently, but the critical severity and ease of exploitation pose a significant risk if unpatched.

Oracle has released a security patch for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers should apply this patch as soon as possible to fully remediate the issue. Until patched, risk may be reduced by blocking network protocols required for exploitation or by removing unnecessary privileges from users, but these are temporary measures and may impact application functionality. Oracle strongly recommends testing any such mitigations in non-production environments and prioritizing patch deployment. Patch status is confirmed by the vendor advisory.