The vulnerability resides in the SQLcl component of Oracle Database Server and permits an unauthenticated user who has already logged into the host system to compromise the SQLcl process. The flaw requires the cooperation of a separate person to trigger exploitation, indicating that user interaction is needed. Once an attacker achieves control of SQLcl, the tool can be used to read, modify, or delete data accessed through the database, resulting in confidentiality, integrity, and availability impacts. The official description does not explicitly state the data‑manipulation capabilities; those consequences are inferred from the fact that SQLcl is a database client that can execute arbitrary SQL statements.

Oracle Database Server versions 23.4.0 through 23.26.0 are affected; the issue applies to all builds of SQLcl distributed as part of these releases.

The CVSS 3.1 base score of 7.0 signals serious risk, yet the attack vector is limited to local access (AV:L) and requires user interaction (UI:R). No authentication is required from the attacker (PR:N), but the exploitation effort is high (AC:H). The EPSS score of less than 1% and absence from CISA’s KEV catalog suggest a low likelihood of widespread exploitation, yet the potential for a localized takeover of a database interface tool warrants timely action. If an attacker were to succeed, the resulting compromise would allow alteration of data and potentially disrupt database availability.