Description
Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href="https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html">Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N).
Published: 2026-01-20
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Integrity
Action: Patch EPM Agent
AI Analysis

Impact

This vulnerability allows an attacker who has high‑privileged access to the infrastructure where the Oracle Planning and Budgeting Cloud Service (EPM Agent) runs to compromise the service, enabling unauthorized creation, deletion or modification of critical data. The weakness results in a high integrity impact but does not directly affect confidentiality or availability.

Affected Systems

Oracle Planning and Budgeting Cloud Service – version 25.04.07. The affected component is the EPM Agent, part of Oracle Hyperion EPM. The vendor is Oracle Corporation.

Risk and Exploitability

The CVSS 3.1 base score is 4.2 with a low exploitation probability of <1 % according to EPSS, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires both high‑privileged infrastructure access and human interaction from a user other than the attacker, making successful attacks less likely but still feasible in environments with inadequate privilege controls.

Generated by OpenCVE AI on April 18, 2026 at 15:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the EPM Agent to a version that contains the fix.
  • Apply least‑privilege principles to the infrastructure hosting the service, limiting high‑privileged logins to only those who truly need them.
  • Enable audit logging and monitoring for unauthorized data modification attempts, and review logs regularly.

Generated by OpenCVE AI on April 18, 2026 at 15:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title Compromise of Oracle Planning and Budgeting Cloud Service via privileged EPM Agent vulnerability

Thu, 29 Jan 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:oracle:planning_and_budgeting_cloud_service:*:*:*:*:*:*:*:*

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href="https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html">Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N).
First Time appeared Oracle
Oracle planning And Budgeting Cloud Service
CPEs cpe:2.3:a:oracle:planning_and_budgeting_cloud_service:25.04.07:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle planning And Budgeting Cloud Service
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N'}

Subscriptions

Oracle Planning And Budgeting Cloud Service
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T20:48:53.795Z

Reserved: 2026-01-05T18:07:34.708Z

Link: CVE-2026-21922

cve-icon Vulnrichment

Updated: 2026-01-21T20:48:50.661Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:54.500

Modified: 2026-01-29T21:31:39.970

Link: CVE-2026-21922

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses