Description
Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href="https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html">Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N).
Published: 2026-01-20
Score: 4.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data access and potential full service compromise by a privileged attacker
Action: Apply Patch
AI Analysis

Impact

The vulnerability presents as an improper access control flaw that permits a high privileged attacker who has local access to the infrastructure hosting Oracle Planning and Budgeting Cloud Service to read or manipulate critical data, or to assume full control of the service. The flaw is contiguous to the EPM Agent component of Oracle Hyperion. Because it is logged in and requires human interaction to trigger, the attack is not fully automated. The result can range from unauthorized data access to a complete compromise of all data available through the service.

Affected Systems

The affected product is Oracle Planning and Budgeting Cloud Service from Oracle Corporation, version 25.04.07. The vulnerability resides in the EPM Agent component of the service. No other versions are currently reported as affected.

Risk and Exploitability

The CVSS 3.1 Base Score is 4.2, indicating a medium confidentiality impact with no integrity or availability effect. The EPSS score is less than 1 %, suggesting a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers need local, high‑privilege access to the underlying infrastructure and additional human interaction to execute the exploit, so the risk is moderate in environments where privileged access is tightly controlled.

Generated by OpenCVE AI on April 18, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the updated EPM Agent release that addresses this vulnerability.
  • Restrict local infrastructure access to authorized administrators only and enforce least privilege policies.
  • Monitor infrastructure and application logs for any unexpected or unauthorized data access attempts.

Generated by OpenCVE AI on April 18, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Title High Privileged Local Data Access Vulnerability in Oracle Planning and Budgeting Cloud Service
Weaknesses CWE-284

Wed, 21 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href="https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html">Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N).
First Time appeared Oracle
Oracle planning And Budgeting Cloud Service
CPEs cpe:2.3:a:oracle:planning_and_budgeting_cloud_service:25.04.07:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle planning And Budgeting Cloud Service
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Oracle Planning And Budgeting Cloud Service
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T16:37:51.774Z

Reserved: 2026-01-05T18:07:34.716Z

Link: CVE-2026-21979

cve-icon Vulnrichment

Updated: 2026-01-21T16:37:18.409Z

cve-icon NVD

Status : Deferred

Published: 2026-01-20T22:16:01.267

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-21979

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T15:45:04Z

Weaknesses