CVE-2026-21969 - Vulnerability Details

- Remote Code Execution via Unauthenticated HTTP in Oracle Agile Product Lifecycle Management

Description

Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Published: 2026-01-20

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw exists in the Supplier Portal component of Oracle Agile Product Lifecycle Management for Process that allows an unauthenticated attacker to exploit the system via a standard HTTP request. Once exploited, the vulnerability can compromise the confidentiality, integrity, and availability of the entire application, potentially leading to full takeover. The weakness involves improper authorization controls permitting unauthenticated access and potentially allowing an attacker to take over the application.

Affected Systems

Oracle Corporation’s Agile Product Lifecycle Management for Process version 6.2.4 is affected. Users of the Supplier Portal component of this product are at risk.

Risk and Exploitability

The base CVSS score is 9.8, indicating critical severity. Although the EPSS score is reported as less than 1 %, reflecting a low but non‑zero probability of exploitation, the lack of a KEV listing does not diminish the need for immediate action. Based on the description, it is inferred that the likely attack vector is network access over HTTP to the vulnerable endpoint, which is exploitable without authentication or advanced privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Agile Product Lifecycle Management for Process

affected

Version	Status	Constraints
`6.2.4`	affected	—

Configuration 1 [-]

cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.4:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle security patch for Agile Product Lifecycle Management for Process
Restrict network access to the Supplier Portal to authenticated users only via firewall rules
Monitor application logs for anomalous HTTP requests and potential compromise attempts

Generated by OpenCVE AI on April 18, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00259.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Sat, 18 Apr 2026 16:00:00 +0000

Type	Values Removed	Values Added
Title		Remote Code Execution via Unauthenticated HTTP in Oracle Agile Product Lifecycle Management
Weaknesses		CWE-284 CWE-287

Thu, 29 Jan 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Wed, 21 Jan 2026 20:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared		Oracle Oracle agile Product Lifecycle Management For Process
CPEs		cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.4:::::::*
Vendors & Products		Oracle Oracle agile Product Lifecycle Management For Process
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Oracle Agile Product Lifecycle Management For Process

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:34.844Z

Updated: 2026-02-26T14:44:38.630Z

Reserved: 2026-01-05T18:07:34.714Z

Link: CVE-2026-21969

Vulnrichment

Updated: 2026-01-21T19:14:13.284Z

NVD

Status : Analyzed

Published: 2026-01-20T22:15:59.970

Modified: 2026-01-29T14:48:11.893

Link: CVE-2026-21969

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object