CVE-2026-46840

CRITICAL

Oracle REST Data Services 24.2.0-26.1.0 - Unauthenticated Remote Code Execution via HTTPS

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-46840. PoCs published by fangbarristerbar.

AI-analyzed exploit summary The repository claims to provide an exploit for CVE-2026-46840 (Oracle ORDS RCE) but contains no actual exploit code. Instead, it directs users to a payment link for access to the exploit, which is a common tactic for scams or malware distribution.

Description

Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle REST Data Services. While the vulnerability is in Oracle REST Data Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle REST Data Services. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Exploits (1)

github SUSPICIOUS

by fangbarristerbar · pythonpoc

https://github.com/fangbarristerbar/CVE-2026-46840-ORDS-RCE

View Code ZIP pw:eip

The repository claims to provide an exploit for CVE-2026-46840 (Oracle ORDS RCE) but contains no actual exploit code. Instead, it directs users to a payment link for access to the exploit, which is a common tactic for scams or malware distribution.

Classification

Suspicious 95%

Attack Type

Deserialization

Complexity

Theoretical

Reliability

Theoretical

Target: Oracle REST Data Services (ORDS) 24.2.0 - 26.1.0

No auth needed

Prerequisites: none provided

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed May 29, 2026 Full analysis →

References (1)

Core 1

Core References

Vendor Advisory vendor-advisory

Oracle Advisory

https://www.oracle.com/security-alerts/cspumay2026.html

Scores

CVSS v3 10.0

EPSS 0.0011

EPSS Percentile 29.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-284 CWE-287 CWE-306

Status published

Products (2)

oracle/rest_data_services 24.2.0 - 26.1.0

Oracle Corporation/Oracle REST Data Services 24.2.0 - 26.1.0

Published May 28, 2026

Tracked Since May 29, 2026