CVSS 8.7 — HIGH  CVE-2026-35228  |  Oracle MCP Server Helper Tool  |  SQL Injection / RCE

A Critical Oracle Security Flaw Lets Hackers Raid Your Database Without a Password

Published by Senior Security Staff  |  Vulnerability Desk

Imagine leaving the front door to every customer record, financial transaction, and internal report your company has ever stored — wide open, with a sign outside that reads "no key needed." That is essentially what a newly disclosed flaw in an Oracle tool does to any organization running it on an internet-connected server.

Who Is Affected — and How Many?

The vulnerability lives inside the Oracle MCP Server Helper Tool, a component of Oracle's Open Source Projects ecosystem increasingly adopted by enterprises connecting AI-assisted workflows to Oracle databases. Every version from 1.0.1 through 1.0.156 — essentially the entire release history of the product — is confirmed vulnerable. That's a wide net. Organizations using this tool to bridge large language models or automation pipelines with Oracle database backends are directly in the crosshairs.

While Oracle has not yet published precise deployment numbers, the MCP (Model Context Protocol) server category has seen explosive adoption in 2025 and 2026 as enterprises rush to connect AI agents to live data sources. Security researchers estimate tens of thousands of instances are reachable from the public internet, many deployed hastily by teams more focused on speed-to-market than hardening network exposure.

What an Attacker Can Actually Do — In Plain English

Here is the scenario that keeps database administrators up at night. Your company runs this Oracle helper tool so that an AI assistant or automated script can answer questions by pulling live data from your Oracle database. The tool sits on a server, listens for requests over the web, and acts as a trusted middleman. It assumes that anyone sending it a request has already been verified elsewhere.

That assumption is the fatal flaw. An attacker anywhere in the world — no account, no password, no prior relationship with your systems whatsoever — can send a specially crafted request directly to that tool over a normal web connection. Hidden inside that request is malicious database code. The helper tool, none the wiser, passes that code straight to your Oracle database and executes it. At that point, the attacker isn't knocking on the door; they're already sitting at the filing cabinet. Depending on what database permissions the helper tool runs under, they can read sensitive records, modify data, delete tables, or use the database engine as a launchpad to move deeper into your network.

What makes this especially dangerous is the "unauthenticated" part. Most serious breaches require at least some initial foothold — a phishing email that tricks an employee, a stolen password, a misconfigured login page. This vulnerability skips all of that. A scanner running automated probes can find a vulnerable instance and begin extracting data in seconds, with no human interaction on the victim's end required.

The Technical Detail Security Teams Need

The vulnerability is a classic SQL injection — a flaw class first documented in 1998 that continues to rank among the most exploited vulnerability types globally according to OWASP and CISA year after year. The twist here is context: SQL injection in an AI/LLM bridge tool means that prompt-like inputs passed through the MCP layer are insufficiently sanitized before being interpolated into database queries. This creates a particularly stealthy attack surface because traffic to these endpoints may blend in with legitimate AI workflow requests, potentially evading signature-based detection.

Real-World Context: How This Was Found, and What We Know So Far

As of publication, Oracle has assigned this the identifier CVE-2026-35228 and rated it HIGH severity with a CVSS score of 8.7. No active exploitation campaigns have been confirmed in the wild, and no known ransomware groups or nation-state actors have been publicly linked to attacks leveraging this specific flaw — yet.

"No active exploitation" is not the same as "safe to ignore." It means defenders have a window. That window closes the moment a working proof-of-concept circulates on exploit forums, which typically happens within 48–72 hours of high-profile CVE disclosure for vulnerabilities in this severity range.

The vulnerability was discovered through Oracle's coordinated disclosure process. Given the MCP server category's rapid rise as a bridge between AI systems and sensitive enterprise data, security researchers have been scrutinizing these tools heavily in recent months. This disclosure is unlikely to be the last of its kind in the MCP ecosystem.

Organizations in financial services, healthcare, legal, and government sectors — verticals that have aggressively adopted AI-to-database pipelines while handling particularly sensitive data — should treat this as a priority-one incident response item even before confirmed exploitation emerges.

What You Should Do Right Now — Three Steps

• Step 1: Identify and isolate every instance immediately. Audit your environment for any deployment of Oracle MCP Server Helper Tool versions 1.0.1 through 1.0.156. Use your asset inventory, container registries, and cloud resource tags. If you find an exposed instance, take it off public network access now — move it behind a VPN or internal-only network segment while you plan the upgrade. Do not wait for a maintenance window.
• Step 2: Apply Oracle's patch to version 1.0.157 or later. Oracle's fix is available through the Oracle Open Source Projects repository. Update to the patched release (1.0.157 or any subsequent release that addresses CVE-2026-35228). Verify the version after deployment and confirm via your vulnerability scanner that the CVE is no longer flagged. If you are running the tool in a container or CI/CD pipeline, rebuild from the updated base image — don't just patch in place.
• Step 3: Review database permissions and audit your logs going back 30 days. The helper tool's database service account should operate under the principle of least privilege — read-only access wherever possible, tightly scoped to only the schemas it actually needs. Review those permissions now and revoke anything excessive. Then pull 30 days of database and HTTP access logs and look for anomalous query patterns, unusual data volumes, or unrecognized source IPs hitting the MCP endpoint. If you find something suspicious, escalate to incident response before proceeding with patching.

The Bigger Picture

This vulnerability is a warning shot for the entire industry rushing to bolt AI capabilities onto existing enterprise infrastructure. The MCP protocol has become a de facto standard for connecting AI agents to live data sources — and that makes every component in that pipeline a high-value target. A tool that was a niche database utility six months ago is now potentially a front door to an organization's most sensitive information assets. Security practices have not kept pace with that shift in risk profile.

The fix here is well-understood and achievable: patch, restrict network access, enforce least privilege. The harder fix — slowing down AI infrastructure deployments long enough to properly harden them — is a conversation that enterprise security teams urgently need to be having with their engineering counterparts.