CVE-2026-21960 - Vulnerability Details

- Oracle Applications DBA Unauthorized Data Access via HTTP

Description

Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications DBA accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).

Published: 2026-01-20

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in Oracle Applications DBA Java utilities allows an attacker who possesses high privileges and can reach the service over HTTP to exploit the system. The flaw enables creation, deletion or modification of data and can grant complete data access to the attacker, compromising confidentiality and integrity of all Oracle Applications DBA data. The CPE indicates that this issue resides in the database administration component of Oracle E‑Business Suite, exposed to network traffic.

Affected Systems

Oracle Corporation’s Oracle Applications DBA product, part of Oracle E‑Business Suite. Affected releases span version 12.2.3 through 12.2.15. The core Ken they'd be impacted are those deployed with the Java utilities component in these releases. Precise build or patch identification is not provided beyond the version range.

Risk and Exploitability

The CVSS score of 6.5 reveals a moderate severity impact, yet an EPSS score of less than 1% suggests low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog, further indicating limited real‑world exploitation. Attackers would likely initiate the exploit via HTTP from the network, requiring high privileges on the system. Without the vulnerability, no unauthorized data tampering or access could occur, but once exploited, the attacker can freely alter or view all data available to the Oracle Applications DBA.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Applications DBA

affected

Version	Status	Constraints
`12.2.3`	affected	≤ 12.2.15

Configuration 1 [-]

cpe:2.3:a:oracle:applications_dba:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Oracle patch issued in the January 2026 security patch set to the affected Oracle Applications DBA Java utilities.
Restrict HTTP access to the Oracle Applications DBA service to trusted internal networks or apply IP whitelisting to limit exposure.
Enable audit logging for data modification actions and configure alerts for high‑privilege changes.

Generated by OpenCVE AI on April 18, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00062.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Sat, 18 Apr 2026 16:00:00 +0000

Type	Values Removed	Values Added
Title		Oracle Applications DBA Unauthorized Data Access via HTTP

Wed, 21 Jan 2026 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications DBA accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N).
First Time appeared		Oracle Oracle applications Dba
CPEs		cpe:2.3:a:oracle:applications_dba::::::::
Vendors & Products		Oracle Oracle applications Dba
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Oracle Applications Dba

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:31.996Z

Updated: 2026-02-26T14:44:38.961Z

Reserved: 2026-01-05T18:07:34.713Z

Link: CVE-2026-21960

Vulnrichment

Updated: 2026-01-21T15:54:26.025Z

NVD

Status : Analyzed

Published: 2026-01-20T22:15:58.853

Modified: 2026-01-29T20:59:47.530

Link: CVE-2026-21960

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object