CVE-2026-46840: Oracle REST Data Services CVSS 10.0 in First Monthly CSPU

CVE-2026-46840 (a remotely exploitable, unauthenticated critical flaw in Oracle REST Data Services — Oracle's server-side framework for building RESTful APIs on top of Oracle Database) carries a CVSS v3.1 (Common Vulnerability Scoring System version 3.1 — the industry-standard 0–10 scale for quantifying vulnerability severity) score of 10.0, the maximum possible, indicating that an unauthenticated attacker on any network can achieve full compromise with no user interaction and no prerequisite access. CISA has confirmed active exploitation and added CVE-2026-46840 to the KEV (Known Exploited Vulnerabilities — the U.S. Cybersecurity and Infrastructure Security Agency's authoritative catalog of vulnerabilities confirmed to be actively weaponised in the wild) catalog. The vulnerability is one of 77 resolved by Oracle's first monthly CSPU (Critical Security Patch Update — Oracle's new monthly targeted patch release supplementing its quarterly CPU cycle), released May 28, 2026, which also includes 17 additional remotely-exploitable, unauthenticated flaws across Oracle Database Server, E-Business Suite, Communications, and Hospitality OPERA 5.

// 01 CVE-2026-46840: Technical Details

CVE-2026-46840 resides in the Backend-as-a-Service component of Oracle REST Data Services (ORDS), a widely deployed middleware layer that exposes Oracle Database functionality via HTTP/HTTPS endpoints — meaning the vulnerability is directly reachable from any network that can access the ORDS listener, typically the internet.

The CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:

• AV:N (Attack Vector: Network) — Exploitable remotely over the network without physical access.
• AC:L (Attack Complexity: Low) — No specialised conditions, race conditions, or elevated access required. The attack is reliable and repeatable.
• PR:N (Privileges Required: None) — No account credentials of any kind are needed.
• UI:N (User Interaction: None) — The victim does not need to click anything or visit a page.
• S:C (Scope: Changed) — A successful exploit escapes the ORDS process boundary and affects resources beyond the vulnerable component itself, typically the underlying Oracle Database.
• C:H / I:H / A:H (Confidentiality / Integrity / Availability: High) — Complete disclosure of all data, ability to modify or destroy data, and full denial of service to the system.

Oracle has not publicly disclosed the specific root cause (buffer overflow, authentication bypass, deserialization flaw, etc.) of CVE-2026-46840 at the time of the CSPU release, consistent with its policy of limiting technical details to reduce immediate exploitation risk. The advisory confirms affected versions are ORDS 24.2.0 through 26.1.0.

The same CSPU also patches CVE-2026-46775 (CVSS 9.9) and CVE-2026-46839 (CVSS 9.9) in Oracle REST Data Services, and CVE-2026-46833 (CVSS 9.0) in Oracle Database Server's Net Service component. A further four critical-severity flaws score above 9.0 in Oracle E-Business Suite.

// 02 Exploitation Status and Threat Landscape

CVE-2026-46840 has been added to the CISA KEV (Known Exploited Vulnerabilities) catalog, confirming active exploitation in the wild — meaning real attackers are currently using this vulnerability against production systems, not merely testing it in lab conditions. Under Binding Operational Directive (BOD) 22-01, U.S. federal civilian executive branch (FCEB) agencies are required to apply patches for KEV-listed vulnerabilities before the CISA-specified deadline.

Several Oracle Communications Unified Assurance vulnerabilities included in the same CSPU also carry elevated exploitation risk:

• CVE-2025-15467: Public PoC (Proof-of-Concept — a working exploit demonstration published openly) available.
• CVE-2025-58050: Public PoC available; originally disclosed August 2024, present in the May CSPU as a newly fixed item.
• CVE-2026-25646: Public PoC available.

Oracle's advisory explicitly notes that the company "continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches," confirming that attackers actively target Oracle environments where patches are delayed. Of the 77 CVEs addressed, 18 of the 35 Oracle-specific patches cover vulnerabilities that are remotely exploitable without authentication — more than half.

// 03 Who Is Affected

The May 2026 CSPU patches five Oracle product families:

The 77-vulnerability total also includes approximately 42 third-party component CVEs embedded in Oracle Communications — covering Apache Kafka, ActiveMQ, Tomcat, ZooKeeper, MySQL, PCRE2, libpng, and Apache HTTP Server. These are patched by updating the Oracle product bundles.

Not covered by this CSPU: WebLogic Server, PeopleSoft, Fusion Middleware, and most Oracle middleware are addressed by the quarterly CPU cycle (next: July 2026). Oracle has indicated that future CSPUs may expand their product scope over time.

ORDS deployments are commonly internet-facing as the REST API gateway between Oracle databases and web or mobile applications, placing CVE-2026-46840 in a particularly high-exposure position for any organisation running Oracle database-backed web services.

// 04 What You Should Do Right Now

• Patch ORDS immediately — update all Oracle REST Data Services instances from affected versions 24.2.0–26.1.0 to the fixed release. Download patches from My Oracle Support under the May 2026 CSPU advisory at oracle.com/security-alerts/cspumay2026.html. Federal agencies are bound by BOD 22-01 to apply KEV-listed patches before the CISA deadline.
• Audit ORDS exposure — identify all ORDS instances accessible from the internet or untrusted networks. If any instance cannot be patched immediately, restrict network access to ORDS listener ports (typically 443 or 8080) to known-good IP ranges via firewall ACL as a temporary workaround.
• Apply all remaining CSPU patches — prioritise the full list of CVSS 9.0+ CVEs across Oracle E-Business Suite, Database Server, Communications Unified Assurance, and Hospitality OPERA 5 in the days to two weeks following the CVE-2026-46840 patch.
• Monitor for active exploitation indicators — review ORDS access logs for anomalous HTTP/HTTPS requests, especially unexpected POST bodies to Backend-as-a-Service endpoints, unusual response sizes, or requests originating from unfamiliar IPs. Check the CISA KEV catalog at cisa.gov/known-exploited-vulnerabilities-catalog for any updated deadline.
• Subscribe to Oracle Security Alerts — Oracle now provides a Thursday pre-release announcement before each CSPU release (next CSPU: June 16, 2026; pre-release announcement expected approximately June 12). Subscribe at oracle.com/security-alerts to begin staging patch deployment before each release date.
• Oracle Cloud customers — no action required; Oracle automatically applies CSPU patches to Oracle Cloud services. Verify the patch status in your cloud tenancy console if your workloads integrate ORDS-based REST services.

// 05 Background: Understanding Oracle's New Monthly CSPU Program

The May 28, 2026 release is the inaugural edition of Oracle's new CSPU (Critical Security Patch Update) program — the most significant restructuring of Oracle's patch delivery cadence in over a decade. Until now, Oracle released patches only through its quarterly CPU (Critical Patch Update — Oracle's bundled security advisory released four times per year in January, April, July, and October). Quarterly releases meant that a critical vulnerability discovered the day after a CPU could sit unpatched for up to 89 days before the next scheduled fix.

Oracle's stated motivation for monthly CSPUs is that AI-assisted vulnerability detection has accelerated its internal security pipeline, making it feasible to validate and release critical fixes on a monthly cadence between quarterly CPUs. The CSPU supplements rather than replaces the quarterly CPU: the quarterly releases will still deliver cumulative comprehensive patches, while CSPUs target critical and high-severity issues that cannot wait three months.

The program runs on the third Tuesday of the eight months that do not contain a quarterly CPU (February, March, May, June, August, September, November, December), giving Oracle customers 12 patch events per year in total. The quarterly CPUs remain the larger releases; May's inaugural CSPU with 35 Oracle-specific patches compares to the April 2026 quarterly CPU, which addressed 450 vulnerabilities.

Previous quarters have shown the real-world stakes of delayed Oracle patching. CVE-2025-61757 (CVSS 9.8 in Oracle Identity Manager) was separately added to CISA KEV due to active exploitation, and Oracle's own advisory history includes multiple cases where attackers successfully exploited vulnerabilities that had been patched in prior CPUs but not applied by customers.

The scale of Oracle's enterprise footprint amplifies the urgency: Oracle Database underpins financial systems, healthcare records, government infrastructure, and ERP deployments worldwide. ORDS in particular is the API gateway for an expanding range of Oracle cloud-connected applications. A CVSS 10.0, unauthenticated, internet-facing vulnerability in ORDS is effectively an unauthenticated key to the database backend.

// 06 Conclusion

CVE-2026-46840 — CVSS 10.0, no authentication required, CISA KEV-confirmed active exploitation — is the highest-priority patch in Oracle's first monthly CSPU release. All organisations running Oracle REST Data Services versions 24.2.0 through 26.1.0 should treat this as an emergency patch requiring immediate action, not a routine update. Apply the ORDS patch today, restrict network access to ORDS endpoints if patching will be delayed, and prepare for the second monthly CSPU on June 16, 2026.