CVE-2026-46839 is a critical vulnerability affecting Oracle REST Data Services (versions 24.2.0 to 26.1.0). It enables a low privileged attacker with network access over HTTPS to compromise the service, potentially resulting in full takeover. The vulnerability affects confidentiality, integrity, and availability, with a CVSS 3.1 score of 9.9 and vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which includes targeted security patches for Oracle REST Data Services among other products. Oracle strongly recommends applying these patches immediately. Workarounds such as blocking network protocols or removing privileges may reduce risk temporarily but do not fix the underlying issue. No known exploits have been reported in the wild.

Successful exploitation of this vulnerability can lead to complete compromise of Oracle REST Data Services, affecting confidentiality, integrity, and availability of the service. Because of scope change, additional Oracle products relying on REST Data Services may also be impacted. The critical CVSS score of 9.9 reflects the high severity and ease of exploitation over the network with low privileges and no user interaction required.

Oracle has released security patches for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers should apply these patches as soon as possible to remediate the vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation or removing unnecessary privileges from users, but these are temporary measures and may disrupt functionality. Oracle strongly recommends testing any mitigations in non-production environments. There is no indication that this vulnerability is already mitigated or that no action is required.