CVE-2026-46843 affects Oracle REST Data Services (versions 24.2.0 to 26.1.0) and allows an unauthenticated attacker with network access over HTTPS to cause a partial denial of service. The vulnerability impacts availability without affecting confidentiality or integrity. It is rated medium severity with a CVSS 3.1 score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which includes 35 security fixes across various Oracle products. The vendor strongly recommends applying the security patches immediately. Temporary mitigations such as network protocol blocking or privilege removal may reduce risk but are not long-term solutions. No exploits are currently known in the wild.

Successful exploitation of this vulnerability can result in unauthorized partial denial of service of Oracle REST Data Services, impacting availability. There is no impact on confidentiality or integrity. The vulnerability is exploitable remotely without authentication over HTTPS, increasing the risk of disruption to affected services if unpatched.

Oracle has released security patches for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers should apply these patches promptly to remediate the issue. Until patches are applied, risk may be reduced by blocking network protocols required for the attack or removing unnecessary privileges from users, but these are temporary measures and may affect application functionality. Oracle strongly recommends testing any mitigations in non-production environments and prioritizing patch deployment as the definitive fix.