Description
Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Security Management System). Supported versions that are affected are 14.5.0.15.0, 14.7.0.8.0 and 14.8.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Published: 2026-01-20
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of critical data and potential deletion by low‑privileged attackers
Action: Immediate Patch
AI Analysis

Impact

Oracle FLEXCUBE Investor Servicing is vulnerable to an access control flaw that allows a low‑privileged attacker with network access via HTTP to create, delete or modify critical data. This flaw can result in significant confidentiality and integrity breaches as the attacker could alter or expunge vital financial information. The weakness is categorized by CWE‑284 (Improper Access Control).

Affected Systems

The vulnerability affects Oracle FLEXCUBE Investor Servicing versions 14.5.0.15.0, 14.7.0.8.0 and 14.8.0.1.0 as listed by Oracle. Enterprises using any of these releases are at risk if they expose the HTTP interface to untrusted users.

Risk and Exploitability

The CVSS 3.1 base score is 8.1 with network access, low attack complexity, low privileges and no user interaction required. The EPSS score is below 1 %, indicating low but non‑zero exploitation probability, and the issue is not yet listed in CISA’s KEV catalog. The attack vector is clear: a network attacker can use HTTP to reach the vulnerable component and exploit the broken access controls to alter data.

Generated by OpenCVE AI on April 18, 2026 at 04:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle security patch that addresses the access control flaw for all affected FLEXCUBE Investor Servicing releases, as described in Oracle’s CPU Jan 2026 advisory.
  • Restrict HTTP access to the FLEXCUBE Installer by limiting connections to trusted IP addresses or moving the service behind a VPN or reverse proxy.
  • Review and tighten role‑based permissions so that low‑privileged users retain only those privileges required for their duties; remove any rights that allow creation, deletion or modification of critical data.

Generated by OpenCVE AI on April 18, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
Title Access Control Bypass Allows Low‑Privilege Attackers to Modify Critical Data in Oracle FLEXCUBE Investor Servicing
Weaknesses CWE-284

Mon, 02 Feb 2026 18:45:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 21 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Security Management System). Supported versions that are affected are 14.5.0.15.0, 14.7.0.8.0 and 14.8.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
First Time appeared Oracle
Oracle flexcube Investor Servicing
CPEs cpe:2.3:a:oracle:flexcube_investor_servicing:14.5.0.15.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:14.7.0.8.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:flexcube_investor_servicing:14.8.0.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle flexcube Investor Servicing
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Oracle Flexcube Investor Servicing
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T17:22:59.687Z

Reserved: 2026-01-05T18:07:34.715Z

Link: CVE-2026-21973

cve-icon Vulnrichment

Updated: 2026-01-21T17:22:49.292Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:16:00.460

Modified: 2026-02-02T18:38:25.583

Link: CVE-2026-21973

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses