{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21999", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-01-05T18:07:34.724Z", "datePublished": "2026-04-21T20:34:59.782Z", "dateUpdated": "2026-04-22T14:04:56.332Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:34:59.782Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise XML Database. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all XML Database accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Database Server", "versions": [{"version": "23.4.0", "status": "affected", "lessThanOrEqual": "23.26.1", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:database_-_xml_database:*:*:*:*:*:*:*:*", "versionStartIncluding": "23.4.0", "versionEndIncluding": "23.26.1"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the XML Database component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise XML Database. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all XML Database accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T14:04:52.440323Z", "id": "CVE-2026-21999", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T14:04:56.332Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the XML Database component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise XML Database. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all XML Database accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N)."}], "id": "CVE-2026-21999", "lastModified": "2026-04-22T14:16:31.823", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 3.6, "source": "secalert_us@oracle.com", "type": "Secondary"}]}, "published": "2026-04-21T21:16:25.060", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "database_-_xml_database", "vendor": "oracle"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[23.4.0,23.26.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Oracle Database Server", "source": "cna", "vendor": "Oracle Corporation"}, "product": "database_server", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T05:21:19.173640+00:00", "value": {"mitigation_remediation": ["Apply the patch(s) released in Oracle\u2019s April\u202f2026 CPU advisory for the affected XML Database versions", "If patching cannot be performed immediately, block external HTTPS access to the XML Database service through firewall rules or network segmentation", "Restrict XML Database permissions to authorized accounts only and audit access logs for anomalous activity"], "summary": {"action": "Assess Impact", "impact": "Unauthorized data access via HTTPS"}, "threat_synthesis": {"affected_systems": "Affected products include Oracle Corporation's Oracle Database Server, specifically the XML Database component. The affected versions are 23.4.0 through 23.26.1. No other versions or products are mentioned. The failure to restrict access pertains only to the XML Database service exposed via HTTPS.", "description_and_impact": "The vulnerability resides in the XML Database component of Oracle Database Server. An unauthenticated attacker who can reach the HTTPS interface can potentially retrieve any accessible XML data. The flaw is described as difficult to exploit and requires the involvement of a distinct human actor; however, if successful, it allows unauthorized data access or complete takeover of the XML Database. The weakness primarily impacts confidentiality, as indicated by the high confidentiality impact in the CVSS vector.", "risk_and_exploitability": "The CVSS base score of 5.3 places the issue in the medium severity range, with a high confidentiality impact but no integrity or availability impact. The EPSS score is not available, so exploitation likelihood cannot be precisely quantified from the data; the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote HTTPS access, and the vulnerability mandates human interaction beyond the attacker, which could lower practical exploitation probability. Nevertheless, the flaw permits unauthorized data access if an attacker overcomes the interaction hurdle."}}}}, "created": "2026-04-22T03:00:06.760851+00:00", "title": "Unauthenticated XML Database Access via HTTPS in Oracle Database Server", "updated": "2026-04-22T11:45:17.788430+00:00", "vendors": ["oracle", "oracle$PRODUCT$database_-_xml_database", "oracle$PRODUCT$database_server"], "weaknesses": ["CWE-284"]}