Description
Vulnerability in the Oracle Utilities Application Framework product of Oracle Utilities Applications (component: General). Supported versions that are affected are 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 4.5.0.2.0, 25.4 and 25.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Utilities Application Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Utilities Application Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Utilities Application Framework accessible data as well as unauthorized read access to a subset of Oracle Utilities Application Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-01-20
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data manipulation and disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from missing authorization checks when processing HTTP requests in Oracle Utilities Application Framework, allowing a low‑privileged attacker on the network to craft requests that perform unauthorized update, insert, delete, or read operations on protected data. The described weakness can be classified as improper access control, leading to confidentiality and integrity risks.

Affected Systems

Oracle Utilities Application Framework versions 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 4.5.0.2.0, 25.4 and 25.10 are affected. Systems that expose the application over HTTP to the internet or untrusted networks are at risk.

Risk and Exploitability

The CVSS base score of 5.4 indicates moderate severity, while the EPSS score of less than 1% suggests a very low current probability of exploitation. The vulnerability is not listed in the CISA KEV catalog, meaning no active, widely available exploits have been reported. Attackers would likely leverage simple HTTP requests to vulnerable endpoints and require a human user other than the attacker to interact with the system, indicating a potential for targeted internal or socially engineered attacks.

Generated by OpenCVE AI on April 18, 2026 at 04:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed Oracle Utilities Application Framework version and apply the latest patch or upgrade to a non‑vulnerable version as provided by Oracle.
  • If a patch is not yet available, restrict HTTP access to the application to trusted administrators only and isolate the application from untrusted networks via segmentation or firewall rules.
  • Enable audit logging for all data modification requests to detect and alert on unauthorized insert, update or delete attempts.
  • Enforce role‑based access controls to limit operation permissions, ensuring that only authorized users can modify or read protected data.

Generated by OpenCVE AI on April 18, 2026 at 04:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Title Low‑Privilege Data Manipulation via HTTP in Oracle Utilities Application Framework
Weaknesses CWE-200
CWE-284

Thu, 29 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Oracle utilities Framework
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:oracle:utilities_framework:25.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:25.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:4.3.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:4.5.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:4.5.0.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:4.5.0.1.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_framework:4.5.0.2.0:*:*:*:*:*:*:*
Vendors & Products Oracle utilities Framework

Wed, 21 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Utilities Application Framework product of Oracle Utilities Applications (component: General). Supported versions that are affected are 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 4.5.0.2.0, 25.4 and 25.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Utilities Application Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Utilities Application Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Utilities Application Framework accessible data as well as unauthorized read access to a subset of Oracle Utilities Application Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle utilities Application Framework
CPEs cpe:2.3:a:oracle:utilities_application_framework:25.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_application_framework:25.4:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_application_framework:4.4.0.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_application_framework:4.5.0.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_application_framework:4.5.0.1.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_application_framework:4.5.0.1.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:utilities_application_framework:4.5.0.2.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle utilities Application Framework
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Utilities Application Framework Utilities Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T20:50:06.753Z

Reserved: 2026-01-05T18:07:34.708Z

Link: CVE-2026-21924

cve-icon Vulnrichment

Updated: 2026-01-21T20:50:02.889Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:54.790

Modified: 2026-01-29T21:23:21.187

Link: CVE-2026-21924

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses