Cyber Resilience

CVE-2026-46833

CriticalUpdated

Published: 28 May 2026

Published
28 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0033 24.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-46833 is a critical-severity an unspecified weakness vulnerability in Oracle Database Server. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via TLS to compromise Net Service. While the vulnerability is in Net Service,…

more

attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Net Service. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote unauthenticated network exploit via TLS against Oracle Net Service component directly enables initial access via public-facing application exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-30751Same product: Oracle Database Server
CVE-2026-46834Same product: Oracle Database Server
CVE-2026-46835Same product: Oracle Database Server
CVE-2026-46821Same vendor: Oracle
CVE-2026-46818Same vendor: Oracle
CVE-2026-34297Same vendor: Oracle
CVE-2025-50060Same vendor: Oracle
CVE-2026-46775Same vendor: Oracle
CVE-2026-34285Same vendor: Oracle
CVE-2026-46822Same vendor: Oracle

Affected Assets

oracle
database server
23.4.0 — 23.26.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References