Multiple Critical Vulnerabilities in Oracle Products

Background

Oracle has released security updates to address multiple vulnerabilities affecting Oracle REST Data Services, Oracle E-Business Suite, Oracle Communications Unified Assurance, Oracle Database Server, and Oracle Hospitality OPERA 5 Property Services in its monthly advisory.

The following vulnerabilities have a Common Vulnerability Scoring System (CVSS v3.1) score of: CVE-2026-46840 at 10.0, CVE-2026-46817 and CVE-2026-34311 at 9.8, CVE-2026-2332 and CVE-2026-33557 and CVE-2026-46819 at 9.1, and CVE-2026-46833 at 9.0, out of 10.

Impact

Successful exploitation of these vulnerabilities could lead to the following:

• CVE-2026-46840: Due to a vulnerability in the Backend-as-a-Service component of Oracle REST Data Services, an unauthenticated attacker could compromise and take over the affected system, with potential impact on additional connected products.

• CVE-2026-46817: Due to a vulnerability in the File Transmission component of Oracle Payments, an unauthenticated attacker could take over the affected Oracle Payments system.

• CVE-2026-2332: Due to a vulnerability in the Core component of Oracle REST Data Services, an unauthenticated attacker could gain unauthorised creation, deletion, modification, and read access to critical data on the affected system.

• CVE-2026-33557: Due to a vulnerability in the Message Bus component of Oracle Communications Unified Assurance, an unauthenticated attacker could gain unauthorised creation, deletion, modification, and read access to critical data on the affected system.

• CVE-2026-46819: Due to a vulnerability in the Internal Operations component of Oracle Internet Procurement Connector, an unauthenticated attacker could gain unauthorised creation, deletion, modification, and read access to critical data on the affected system.

• CVE-2026-46833: Due to a vulnerability in the Net Service component of Oracle Database Server, an unauthenticated attacker could compromise and take over the affected Net Service, with potential impact on additional connected products.

• CVE-2026-34311: Due to a vulnerability in Oracle Hospitality OPERA 5 Property Services, an unauthenticated attacker could take over the affected system.

Affected Products

These vulnerabilities affect the following Oracle products and versions:

• CVE-2026-46840 (Oracle REST Data Services — Backend-as-a-Service): versions 24.2.0 through 26.1.0

• CVE-2026-46817 (Oracle E-Business Suite — Oracle Payments): versions 12.2.3 through 12.2.15

• CVE-2026-2332 (Oracle REST Data Services — Core): versions 24.2.0 through 26.1.0

• CVE-2026-33557 (Oracle Communications Unified Assurance — Message Bus): versions 6.1.1 through 7.0.0

• CVE-2026-46819 (Oracle E-Business Suite — Oracle Internet Procurement Connector): versions 12.2.3 through 12.2.15

• CVE-2026-46833 (Oracle Database Server — Net Service): versions 23.4.0 through 23.26.2

• CVE-2026-34311 (Oracle Hospitality OPERA 5 Property Services): versions 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6, and 5.6.28

Mitigation

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://www.oracle.com/security-alerts/cspumay2026.html

https://www.oracle.com/security-alerts/cspumay2026verbose.html

https://nvd.nist.gov/vuln/detail/CVE-2026-46840

https://nvd.nist.gov/vuln/detail/CVE-2026-46817

https://nvd.nist.gov/vuln/detail/CVE-2026-2332

https://nvd.nist.gov/vuln/detail/CVE-2026-33557

https://nvd.nist.gov/vuln/detail/CVE-2026-46819

https://nvd.nist.gov/vuln/detail/CVE-2026-46833

https://nvd.nist.gov/vuln/detail/CVE-2026-34311