{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34274", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-03-26T19:48:45.675Z", "datePublished": "2026-04-21T20:35:17.079Z", "dateUpdated": "2026-04-22T13:51:12.981Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:17.079Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Configurator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Configurator accessible data as well as unauthorized read access to a subset of Oracle Configurator accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Configurator", "versions": [{"version": "12.2.3", "status": "affected", "lessThanOrEqual": "12.2.15", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:configurator:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.2.3", "versionEndIncluding": "12.2.15"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Configurator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Configurator accessible data as well as unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:51:03.243007Z", "id": "CVE-2026-34274", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:51:12.981Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34274", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T13:51:03.243007Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:50:57.900Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Configurator", "versions": [{"status": "affected", "version": "12.2.3", "versionType": "custom", "lessThanOrEqual": "12.2.15"}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Configurator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Configurator accessible data as well as unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Configurator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Configurator accessible data as well as unauthorized read access to a subset of Oracle Configurator accessible data."}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:configurator:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "12.2.15", "versionStartIncluding": "12.2.3"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:17.079Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34274", "state": "PUBLISHED", "dateUpdated": "2026-04-22T13:51:12.981Z", "dateReserved": "2026-03-26T19:48:45.675Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2026-04-21T20:35:17.079Z", "assignerShortName": "oracle"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Configurator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Configurator accessible data as well as unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)."}], "id": "CVE-2026-34274", "lastModified": "2026-04-22T21:24:26.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "secalert_us@oracle.com", "type": "Secondary"}]}, "published": "2026-04-21T21:16:31.390", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.2.3,12.2.15]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Oracle Configurator", "source": "cna", "vendor": "Oracle Corporation"}, "product": "configurator", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T06:38:51.060631+00:00", "value": {"mitigation_remediation": ["Apply the Oracle configuration update released in the April\u202f2026 CPU advisory", "Narrow inbound HTTP access to the Configurator to trusted IP ranges or internal network segments", "Configure or enforce multi\u2011factor authentication for the Configurator user interface to mitigate unauthorized access"], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Data Modification and Confidentiality Violation"}, "threat_synthesis": {"affected_systems": "The flaw affects Oracle Configurator versions 12.2.3 through 12.2.15. A user of Oracle E\u2011Business Suite relying on these configurations is exposed.", "description_and_impact": "Oracle Configurator allows an unauthenticated attacker with network access via HTTP to perform unauthorized update, insert, or delete operations on data that the configurator can access, and to read a subset of that data. The vulnerability stems from improper access control in the User Interface component, enabling actions normally reserved for authenticated users. This weakness can lead to integrity and confidentiality breaches within the affected applications. Based on the description, it is inferred that the root cause is improper access control in the User Interface component, although the official description does not explicitly state this.", "risk_and_exploitability": "The CVSS v3.1 base score of 6.1 reflects moderate severity with low confidentiality and integrity impact on the target system. The EPSS score is currently unavailable, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attacks require network connectivity to the configurator\u2019s HTTP endpoint and the presence of a human actor other than the attacker to accept or act upon the changes. Given that the attack can modify or expose data, the threat remains significant for organizations using these versions. The requirement of a human actor other than the attacker is inferred from the stated need for human interaction in successful attacks."}}}}, "created": "2026-04-22T03:15:06.282806+00:00", "title": "Unauthenticated HTTP Access Allows Data Modification in Oracle Configurator", "updated": "2026-04-22T06:45:10.876012+00:00", "vendors": ["oracle", "oracle$PRODUCT$configurator"], "weaknesses": ["CWE-284"]}