This vulnerability affects the Core component of Oracle REST Data Services (versions 24.2.0 to 26.1.0). It allows an unauthenticated attacker with network access over HTTPS to compromise the service by performing unauthorized data modification operations such as update, insert, or delete. The CVSS 3.1 base score is 5.3, reflecting a medium severity primarily due to integrity impact without confidentiality or availability impact. Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which includes 35 security patches across multiple products including Oracle REST Data Services. The vendor advisory emphasizes the importance of applying these patches without delay and offers guidance on temporary risk reduction measures such as blocking network protocols or removing unnecessary privileges, though these are not long-term solutions.

Successful exploitation allows unauthorized modification of some accessible data in Oracle REST Data Services, impacting data integrity. There is no impact on confidentiality or availability according to the CVSS vector. No known exploits have been reported in the wild. The vulnerability can be exploited remotely without authentication over HTTPS.

Oracle has released patches for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers are strongly advised to apply these security patches as soon as possible to remediate the vulnerability. Until patches are applied, risk may be partially reduced by blocking network protocols required for the attack or by removing unnecessary privileges from users, but these are not substitutes for patching. Oracle recommends testing any such mitigations in non-production environments before deployment. Staying on supported product versions and promptly applying security updates is critical to maintaining security.