CVE-2026-21974 - Vulnerability Details

- Unauthenticated Data Exposure in Oracle Life Sciences Central Designer

Description

Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

Published: 2026-01-20

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Oracle Life Sciences Central Designer product contains an unauthenticated vulnerability that allows an attacker with network access via HTTP to read restricted data. The weakness is a confidential data exposure and is classified as CWE-200. Successful exploitation results in unauthorized read access to a subset of data that should not be available without proper authentication. The impact is limited to confidentiality; integrity and availability are not affected.

Affected Systems

Oracle Life Sciences Central Designer version 7.0.1.0 is affected. Any deployment of this product running that specific version is susceptible to the vulnerability.

Risk and Exploitability

The CVSS v3.1 base score is 5.3 with a low exploitation difficulty (AC:L) and no user interaction (UI:N). The EPSS score is < 1%, indicating a very low estimated probability of exploitation at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is over the network via an unauthenticated HTTP request, and an attacker must have network reach to the application server to leverage the flaw.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Life Sciences Central Designer

affected

Version	Status	Constraints
`7.0.1.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:oracle:life_sciences_central_designer:7.0.1.0:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply Oracle's patch or upgrade to a non‑vulnerable version of Oracle Life Sciences Central Designer.
Restrict network access to the application by using firewall rules or a virtual private network so that only trusted hosts can reach the HTTP interface.
Configure the application to enforce authentication for all data‑access endpoints, ensuring that unauthenticated requests are rejected.

Generated by OpenCVE AI on April 18, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00038.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cpujan2026.html

History

Sat, 18 Apr 2026 16:00:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated Data Exposure in Oracle Life Sciences Central Designer

Wed, 21 Jan 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 22:15:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
First Time appeared		Oracle Oracle life Sciences Central Designer
CPEs		cpe:2.3:a:oracle:life_sciences_central_designer:7.0.1.0:::::::*
Vendors & Products		Oracle Oracle life Sciences Central Designer
References		https://www.oracle.com/security-alerts/cpujan2026.html
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Oracle Life Sciences Central Designer

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-01-20T21:56:36.617Z

Updated: 2026-01-21T14:38:13.502Z

Reserved: 2026-01-05T18:07:34.715Z

Link: CVE-2026-21974

Vulnrichment

Updated: 2026-01-21T14:37:46.272Z

NVD

Status : Analyzed

Published: 2026-01-20T22:16:00.587

Modified: 2026-01-29T14:47:09.210

Link: CVE-2026-21974

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object