Oracle REST Data Services Vulnerability Exposes Critical Data Manipulation Risks
CVE-2026-35277

8.1HIGH

Key Information:

Vendor: Oracle
Status: Oracle Rest Data Services
Vendor: CVE Published:; 28 May 2026

What is CVE-2026-35277?

An access control vulnerability in Oracle REST Data Services allows a low privileged attacker with network access via HTTPS to execute unauthorized actions. This can lead to the unauthorized creation, deletion, or modification of critical data within the affected versions of the software. Attackers can gain complete access to sensitive data, posing significant risks to data confidentiality and integrity.

Affected Version(s)

Oracle REST Data Services 24.2.0 <= 26.1.0

References

https://www.oracle.com/security-alerts/cspumay2026.html

vendor-advisory

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 28, 2026
Vulnerability Reserved
Apr 1, 2026

CVE-2026-35277 Data

JSON