CVE-2026-21940 - Vulnerability Details

Description

Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Published: 2026-01-20

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Oracle Agile PLM includes a component that fails to enforce adequate access controls, allowing any network user to discover and read sensitive data via HTTP. According to the CVE description, the vulnerability lies in the User and User Group handling and has a CVSS 3.1 base score of 7.5, indicating moderate to high severity for confidentiality. An attacker can read any data the system makes available without authentication, leading to possible leaks of confidential information.

Affected Systems

Oracle Corporation’s Agile PLM product, specifically version 9.3.6, is affected. The Supply Chain Products Suite version 9.3.4 also contains the vulnerable component, but the advisory explicitly references 9.3.6 for the main impact.

Risk and Exploitability

The CVSS score is 7.5, and the EPSS score is reported as less than 1%, implying a very low but non‑zero probability of exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly known exploit either. The attack vector is inferred to be network‑based, accessible over HTTP, and requires no user interaction or authentication. An unauthenticated attacker can reach the vulnerable endpoint and retrieve data, thereby compromising confidentiality of the stored information.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Agile PLM

affected

Version	Status	Constraints
`9.3.6`	affected	—

Configuration 1 [-]

cpe:2.3:a:oracle:supply_chain_products_suite:9.3.4:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest vendor patch for Oracle Agile PLM 9.3.6 as released by Oracle
Restrict HTTP access to the Agile PLM instance to trusted networks or VPNs only
Use network segmentation and transparent proxying to isolate the Agile PLM services from open Internet exposure

Generated by OpenCVE AI on April 18, 2026 at 04:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00055.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Thu, 29 Jan 2026 20:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oracle supply Chain Products Suite
CPEs		cpe:2.3:a:oracle:supply_chain_products_suite:9.3.4:::::::*
Vendors & Products		Oracle supply Chain Products Suite

Wed, 21 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
First Time appeared		Oracle Oracle agile Plm
CPEs		cpe:2.3:a:oracle:agile_plm:9.3.6:::::::*
Vendors & Products		Oracle Oracle agile Plm
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Oracle Agile Plm Supply Chain Products Suite

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:26.402Z

Updated: 2026-01-21T14:57:43.763Z

Reserved: 2026-01-05T18:07:34.711Z

Link: CVE-2026-21940

Vulnrichment

Updated: 2026-01-21T14:57:36.606Z

NVD

Status : Analyzed

Published: 2026-01-20T22:15:56.787

Modified: 2026-01-29T20:35:05.930

Link: CVE-2026-21940

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object