CVE-2026-46829 affects Oracle REST Data Services versions 24.2.0 to 26.1.0, specifically the Mongoapi component. The vulnerability allows an unauthenticated attacker with network access over HTTPS to cause a hang or repeated crash of the service, resulting in a complete denial of service. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on availability only. Oracle has included a fix for this vulnerability in its May 2026 Critical Security Patch Update. The advisory emphasizes the importance of applying these patches promptly and notes that workarounds such as blocking network protocols or removing unnecessary privileges may reduce risk temporarily but do not fix the underlying issue.

Successful exploitation of this vulnerability results in a complete denial of service (DoS) condition for Oracle REST Data Services, causing the service to hang or crash repeatedly. There is no impact on confidentiality or integrity. The vulnerability can be exploited remotely without authentication via HTTPS, making it a significant availability risk for affected systems.

Oracle has released a security patch addressing CVE-2026-46829 as part of the May 2026 Critical Security Patch Update. Customers are strongly advised to apply this patch as soon as possible to remediate the vulnerability. Until the patch is applied, risk may be reduced by blocking network protocols required for the attack or by removing unnecessary privileges from users, but these measures may disrupt application functionality and are not permanent solutions. Oracle recommends testing any such changes in non-production environments. Staying on actively supported versions and promptly applying security patches is critical.