This vulnerability in Oracle REST Data Services allows an unauthenticated attacker over the network (via HTTPS) to read a subset of accessible data without authorization. It affects supported versions 24.2.0 through 26.1.0. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) reflects that the attack requires no privileges or user interaction and impacts confidentiality only. Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which includes 35 new security patches across multiple products. The vendor advisory emphasizes the importance of applying these patches promptly and notes that blocking network protocols or removing unnecessary privileges may reduce risk temporarily but are not long-term solutions.

Successful exploitation results in unauthorized read access to a subset of data accessible via Oracle REST Data Services, impacting confidentiality. There is no impact on integrity or availability. The vulnerability is exploitable remotely without authentication and requires only network access via HTTPS. No known active exploitation has been reported.

Oracle has released security patches for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches as soon as possible. Until patches are applied, risk may be reduced by blocking network protocols required for the attack or by removing unnecessary privileges from users, though these are not long-term solutions and may disrupt functionality. Oracle recommends testing any such changes in non-production environments. Patch status is confirmed as available via the vendor advisory.