Cyber Resilience

CVE-2026-35277

HighUpdated

Published: 28 May 2026

Published
28 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0027 18.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-35277 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Oracle Rest Data Services. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vulnerability in Oracle REST Data Services (component: Core). Supported versions that are affected are 24.2.0-26.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle REST Data Services. Successful attacks of this vulnerability can result…

more

in unauthorized creation, deletion or modification access to critical data or all Oracle REST Data Services accessible data as well as unauthorized access to critical data or complete access to all Oracle REST Data Services accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Network-accessible REST service with improper access control (CWE-284) directly enables remote exploitation by low-privileged attackers.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-46775Same product: Oracle Rest Data Services
CVE-2026-46839Same product: Oracle Rest Data Services
CVE-2026-35266Same product: Oracle Rest Data Services
CVE-2026-46840Same product: Oracle Rest Data Services
CVE-2026-46829Same product: Oracle Rest Data Services
CVE-2026-46818Same vendor: Oracle
CVE-2026-34310Same vendor: Oracle
CVE-2026-34287Same vendor: Oracle
CVE-2026-46822Same vendor: Oracle
CVE-2025-50105Same vendor: Oracle

Affected Assets

oracle
rest data services
24.2.0 — 26.1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-284 CWE-400

System audit review detects violations of access controls by identifying unauthorized access attempts.

addresses: CWE-284 CWE-400

The team provides specialized analysis of access-related incidents, enabling quicker identification and response to unauthorized access attempts.

addresses: CWE-284 CWE-400

Explicit security control assessments verify proper access control enforcement, detecting weaknesses that the flaw remediation process then eliminates.

addresses: CWE-284 CWE-400

Resiliency goals and objectives routinely incorporate least-privilege and access-control maintenance under adverse conditions, reducing improper access control.

addresses: CWE-284 CWE-400

Role separation implements access control boundaries between internal and external name resolution services.

addresses: CWE-284 CWE-400

Distribution forces an attacker to compromise multiple independent components rather than a single centralized target, directly reducing the impact of access control failures.

addresses: CWE-284 CWE-400

Directly detects unauthorized local/network/remote connections and system use that result from improper access control.

addresses: CWE-284

The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.

References