CVE-2026-46841 affects Oracle REST Data Services versions 24.2.0 to 26.1.0 and allows an unauthenticated attacker with network access over HTTPS to read a subset of accessible data without authorization. The vulnerability is rated medium severity with a CVSS 3.1 score of 5.3, reflecting a confidentiality impact only. Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which includes 35 security patches across multiple products. The vendor advisory emphasizes the importance of applying these patches promptly and provides guidance on temporary risk reduction measures. No known exploits in the wild have been reported. Oracle recommends staying on supported versions and applying patches without delay to prevent exploitation.

Successful exploitation of this vulnerability results in unauthorized read access to some data accessible via Oracle REST Data Services, impacting confidentiality. There is no impact on integrity or availability. The vulnerability can be exploited remotely without authentication over HTTPS. No known active exploitation has been reported. The medium CVSS score (5.3) reflects the limited scope of data exposure and the lack of privilege or user interaction requirements.

Oracle has released security patches for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers should apply these patches promptly to remediate the issue. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation or by removing unnecessary privileges from users, but these are temporary measures and may affect application functionality. Oracle strongly recommends testing any such changes in non-production environments and does not consider these workarounds as permanent fixes. Refer to the Oracle advisory at https://www.oracle.com/security-alerts/cspumay2026.html for detailed patch availability and installation instructions.