Oracle MCP Server Helper Tool 1.0.0-1.0.156 Remote SQL Injection via HTTP
CVE-2026-35228 Published on May 5, 2026

Vulnerability in the Oracle MCP Server Helper Tool product of Oracle Open Source Projects (component: helper tool). The supported versions that is affected is 1.0.1-1.0.156. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle MCP Server Helper Tool. Successful attacks of this vulnerability can result in Oracle MCP Server Helper Tool executing malicious SQL.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2026-35228 is exploitable with network access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Weakness Type

What is a SQL Injection Vulnerability?

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

CVE-2026-35228 has been classified to as a SQL Injection vulnerability or weakness.


Products Associated with CVE-2026-35228

Want to know whenever a new CVE is published for Oracle? stack.watch will email you.

Oracle
 

Affected Versions

Oracle Corporation Oracle MCP Server Helper Tool product of Oracle Open Source Projects Version 1.0.1-1.0.156 is affected by CVE-2026-35228