Description
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Published: 2026-01-20
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data modification and access
Action: Immediate Patch
AI Analysis

Impact

This vulnerability permits an attacker with low-level local privileges to compromise Oracle Business Intelligence Enterprise Edition. Successful exploitation enables the attacker to create, delete, or modify critical data and gain access to all data exposed by the service. The weakness stems from improper access control that allows local users to act with higher privileges than intended.

Affected Systems

Oracle Corporation’s Oracle Business Intelligence Enterprise Edition, versions 7.6.0.0.0 and 8.2.0.0.0, are affected. The product is part of Oracle Analytics, specifically the Oracle Analytics Cloud component.

Risk and Exploitability

The base CVSS score of 7.1 indicates high severity with confidentiality and integrity impact. Estimated exploitation probability is extremely low (EPSS < 1 %) and the vulnerability is not listed in CISA’s KEV catalog. Because the attack requires local logon, the attacker must first gain access to the underlying infrastructure. Once local privileges are present, the vulnerability can be leveraged to elevate privileges within the OBIEE environment.

Generated by OpenCVE AI on April 18, 2026 at 04:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor-released patch or upgrade to a supported, non-vulnerable version of Oracle Business Intelligence Enterprise Edition.
  • If a patch is not immediately available, impose stricter local access controls by restricting low-privilege user permissions on the server hosting OBIEE.
  • Monitor system and application logs for anomalous activity such as unexpected creation, deletion, or modification of OBIEE metadata and dashboards.

Generated by OpenCVE AI on April 18, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Local Privilege Escalation in Oracle Business Intelligence Enterprise Edition
Weaknesses CWE-284
CWE-862

Thu, 29 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo

Wed, 21 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
First Time appeared Oracle
Oracle business Intelligence
CPEs cpe:2.3:a:oracle:business_intelligence:7.6.0.0.0:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:business_intelligence:8.2.0.0.0:*:*:*:enterprise:*:*:*
Vendors & Products Oracle
Oracle business Intelligence
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Oracle Business Intelligence
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-02-26T14:44:38.342Z

Reserved: 2026-01-05T18:07:34.716Z

Link: CVE-2026-21976

cve-icon Vulnrichment

Updated: 2026-01-21T17:19:21.697Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:16:00.850

Modified: 2026-01-29T14:46:40.963

Link: CVE-2026-21976

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses