{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21966", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-01-05T18:07:34.714Z", "datePublished": "2026-01-20T21:56:33.912Z", "dateUpdated": "2026-01-21T19:54:47.033Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-01-20T21:56:33.912Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Hospitality OPERA 5 Property Services", "versions": [{"version": "5.6.19.23", "status": "affected", "versionType": "semver"}, {"version": "5.6.25.17", "status": "affected", "versionType": "semver"}, {"version": "5.6.26.10", "status": "affected", "versionType": "semver"}, {"version": "5.6.27.4", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.19.23:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.25.17:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.26.10:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.27.4:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-21T19:53:17.895109Z", "id": "CVE-2026-21966", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T19:54:47.033Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21966", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-21T19:53:17.895109Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T19:54:35.863Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Hospitality OPERA 5 Property Services", "versions": [{"status": "affected", "version": "5.6.19.23", "versionType": "semver"}, {"status": "affected", "version": "5.6.25.17", "versionType": "semver"}, {"status": "affected", "version": "5.6.26.10", "versionType": "semver"}, {"status": "affected", "version": "5.6.27.4", "versionType": "semver"}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data."}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.19.23:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.25.17:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.26.10:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_opera_5_property_services:5.6.27.4:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-01-20T21:56:33.912Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21966", "state": "PUBLISHED", "dateUpdated": "2026-01-21T19:54:47.033Z", "dateReserved": "2026-01-05T18:07:34.714Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2026-01-20T21:56:33.912Z", "assignerShortName": "oracle"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:hospitality_opera_5:5.6.19.23:*:*:*:*:*:*:*", "matchCriteriaId": "04679532-E932-4A98-851D-A5D2686E811A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_opera_5:5.6.25.17:*:*:*:*:*:*:*", "matchCriteriaId": "F72AC12F-7DA8-4AB4-9645-FD6FCE2AB539", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_opera_5:5.6.26.10:*:*:*:*:*:*:*", "matchCriteriaId": "F029305F-46E1-4620-9545-ED7066B33B0F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:hospitality_opera_5:5.6.27.4:*:*:*:*:*:*:*", "matchCriteriaId": "857E949C-0A97-4148-BE92-B0E55808290F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."}], "id": "CVE-2026-21966", "lastModified": "2026-01-29T14:48:47.800", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-01-20T22:15:59.607", "references": [{"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T04:27:47.954215+00:00", "value": {"mitigation_remediation": ["Check with Oracle for an official patch or update for OPERA\u00a05 Property Services and apply it as soon as possible", "If a patch is unavailable, restrict HTTP access to the OPERA servers to trusted internal hosts or VPNs, denying public network exposure", "Configure network firewalls to block unused ports and enforce time\u2011locked access windows for maintenance"], "summary": {"action": "Apply Patch", "impact": "Unauthorized Data Manipulation and Disclosure"}, "threat_synthesis": {"affected_systems": "Oracle Hospitality OPERA 5 Property Services, versions 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. These deliverables are used by hotels and hospitality establishments to manage reservations and property services.", "description_and_impact": "The vulnerability in Oracle Hospitality OPERA 5 Property Services permits an unauthenticated attacker with HTTP access to modify, insert, or delete data, as well as read restricted data. The flaw lies in missing or ineffective authorization controls, allowing unauthorized data operations that compromise confidentiality and integrity of hotel management information. Successful exploitation could alter booking records, customer details, or pricing, potentially disrupting operations and exposing sensitive information.", "risk_and_exploitability": "The CVSS\u202f3.1 base score of 6.1 indicates a medium severity. The EPSS score is below 1\u202f%, implying a very low but non\u2011zero probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Attack requires an attacker to be on the same network as the OPERA server and to interact through HTTP; user interface interaction is necessary, suggesting the exploit must involve a user delivering a crafted HTTP request. Once activated, the attacker can abuse missing authorization to gain read or write access to a subset of the system\u2019s data. The scope change indicates that impact may extend beyond the OPERA application to other integrated services."}}}}, "created": "2026-04-18T04:30:35.832367+00:00", "title": "Unauthenticated Authorization Bypass in Oracle Hospitality OPERA\u00a05 Property Services", "updated": "2026-04-18T04:30:35.832384+00:00", "vendors": [], "weaknesses": ["CWE-285"]}