CVE-2026-46840 is an easily exploitable vulnerability in Oracle REST Data Services (Backend-as-a-Service component) affecting versions 24.2.0 to 26.1.0. An unauthenticated attacker with network access via HTTPS can exploit this flaw to take over the Oracle REST Data Services instance. The vulnerability impacts confidentiality, integrity, and availability with a CVSS 3.1 score of 10.0 and involves a scope change potentially affecting other Oracle products. Oracle has included a fix for this vulnerability in its May 2026 Critical Security Patch Update. The vendor advisory emphasizes the importance of applying security patches without delay and provides guidance on temporary risk reduction measures such as blocking attack-related network protocols or removing unnecessary privileges, though these do not resolve the underlying issue.

Successful exploitation of CVE-2026-46840 results in complete takeover of Oracle REST Data Services, compromising confidentiality, integrity, and availability of the affected system. Due to scope change, the impact may extend to additional Oracle products integrated with REST Data Services. This vulnerability is remotely exploitable without authentication over HTTPS, making it highly critical. No known exploits in the wild have been reported yet, but the potential impact is severe.

Oracle has released a security patch for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches immediately to remediate the vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation or by removing unnecessary privileges from users, but these are temporary measures and may disrupt functionality. Oracle recommends testing any such changes in non-production environments. Patch status is confirmed by the vendor advisory; therefore, applying the official patch is the definitive remediation.