Skills
Oracle MCP Server Helper Tool CVE-2026-35228: Unauthenticated SQL Injection via HTTP — Versions 1.0.1 Through 1.0.156 Affected
CVE-2026-35228 is a high-severity vulnerability in Oracle MCP Server Helper Tool (versions 1.0.1–1.0.156) that allows unauthenticated attackers with network access via HTTP to execute malicious SQL. Low attack complexity. Part of Oracle's April 2026 Critical Patch Update. Significant because Oracle's MCP tooling is an enterprise entry point — compromise of a server-side helper mediating database access translates quickly into data theft and integrity loss.
↳ Follow the thread