CVE-2026-21972 - Vulnerability Details

- Unauthenticated HTTP Access Leads to Confidential Data Exposure in Oracle Configurator

Description

Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Published: 2026-01-20

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the Oracle Configurator user interface allows an attacker with network connectivity via HTTP to read a subset of data without authentication. The vulnerability can be exploited easily by an unauthenticated adversary, leading to confidential information disclosure. The weakness is rooted in improper access control that permits data reads that should be protected.

Affected Systems

Oracle Configurator, part of Oracle E-Business Suite, affects all supported versions from 12.2.3 to 12.2.15. These versions are distributed by Oracle Corporation.

Risk and Exploitability

The CVSS 3.1 score of 5.3 indicates a moderate severity with a low confidentiality impact. The EPSS score of less than 1% suggests that exploitation may be uncommon, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the attack vector is inferred to be unauthenticated HTTP traffic, requiring only network access to the Configurator service. A skilled attacker can gain read access to protected data without additional credentials, making the exploitation path straightforward.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Configurator

affected

Version	Status	Constraints
`12.2.3`	affected	≤ 12.2.15

Configuration 1 [-]

cpe:2.3:a:oracle:configurator:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor-provided patch or upgrade to a version beyond 12.2.15
Limit HTTP access to the Configurator service by restricting it to internal networks or protected subnets
Implement monitoring to detect suspicious data reads and enforce strict audit logs on the Configurator application

Generated by OpenCVE AI on April 18, 2026 at 20:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Sat, 18 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated HTTP Access Leads to Confidential Data Exposure in Oracle Configurator

Thu, 29 Jan 2026 15:00:00 +0000

Type	Values Removed	Values Added
Weaknesses		NVD-CWE-noinfo

Wed, 21 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
First Time appeared		Oracle Oracle configurator
CPEs		cpe:2.3:a:oracle:configurator::::::::
Vendors & Products		Oracle Oracle configurator
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Oracle Configurator

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:35.961Z

Updated: 2026-01-21T18:10:56.223Z

Reserved: 2026-01-05T18:07:34.715Z

Link: CVE-2026-21972

Vulnrichment

Updated: 2026-01-21T18:10:52.753Z

NVD

Status : Analyzed

Published: 2026-01-20T22:16:00.330

Modified: 2026-01-29T14:47:18.797

Link: CVE-2026-21972

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T20:15:09Z

Weaknesses

NVD-CWE-noinfo

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object