CVE-2026-46775 (CVSS 9.9) — Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network acce

A critical vulnerability has been published under CVE-2026-46775, affecting Oracle REST Data Services in versions 24.2.0 through 26.1.0. The flaw, rated 9.9 on the CVSS scale, is easily exploitable by a low-privileged attacker with network access, meaning it poses a severe risk of unauthorized data access or system compromise. The disclosure was made by the National Vulnerability Database on May 28, 2026, and falls under the Common Vulnerabilities and Exposures framework.

Organizations across all sectors that deploy Oracle REST Data Services are affected, particularly those in finance, healthcare, public administration, and any EU-regulated entity relying on Oracle databases for RESTful API integrations. Given the low privilege requirement and high severity, any organization using the affected versions should treat this as an urgent security incident, as it could lead to regulatory non-compliance under GDPR or sector-specific data protection rules if exploited.

Compliance teams should immediately verify whether their Oracle REST Data Services instances fall within the vulnerable version range and apply the vendor-supplied patch or upgrade to a non-affected version. Additionally, they should review access controls and monitor logs for signs of exploitation, and document remediation steps for potential regulatory audit inquiries. A risk assessment should be conducted to determine if any data breaches have occurred, with notification obligations under applicable EU regulations considered.