CVE-2026-34311 (CVSS 9.8) — Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19,

A critical vulnerability has been published under CVE-2026-34311, affecting Oracle Hospitality OPERA 5 Property Services, specifically versions 5.6.19.24, 5.6.22, and 5.6.25.19. The vulnerability carries a CVSS score of 9.8, indicating it is critical and remotely exploitable without authentication. This means an attacker could potentially gain full control over the affected system without needing any user credentials or interaction.

Organizations most affected are those in the hospitality sector, including hotels, resorts, and property management companies that rely on Oracle OPERA 5 for reservations, billing, and guest data management. Given the high severity and the nature of the software, this vulnerability poses a direct risk to personal data processing, which may trigger obligations under GDPR and other EU data protection regulations if guest information is compromised.

Compliance teams should immediately verify whether their organization uses any of the affected versions and prioritize patching as soon as Oracle releases a security update. In the interim, network segmentation and strict access controls should be applied to limit exposure. Additionally, teams should assess whether this vulnerability requires notification to data protection authorities or affected data subjects under applicable breach notification rules.