Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Published: 2026-04-21
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality Compromise
Action: Patch
AI Analysis

Impact

A flaw in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition allows a local attacker with access to the infrastructure where the software runs to read data that should be protected. The vulnerability resides in the handling of certain APIs, such as those that return data via a web service. When successfully exploited, an attacker can obtain unauthorized read access to a subset of data exposed by the affected component. The CVSS 3.1 Base Score of 2.9 reflects a low‑level confidentiality impact rather than full code execution or denial of service.

Affected Systems

Affected versions include Oracle Java SE 8u481 (including the 8u481‑b50 and 8u481‑perf builds), 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26; Oracle GraalVM for JDK 17.0.18 and 21.0.10; and Oracle GraalVM Enterprise Edition 21.3.17. These products are listed in Oracle’s April 2026 Critical Patch Update.

Risk and Exploitability

The CVSS vector (AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) indicates that the attack requires local presence or access to the environment where the software is executed, and the exploit is considered difficult to employ. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, so the likelihood of exploitation remains uncertain. Nevertheless, the potential for data exposure warrants timely remediation through the vendor’s update, particularly for systems handling sensitive information.

Generated by OpenCVE AI on April 22, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Oracle patch or update for the affected Java SE, GraalVM for JDK, and GraalVM Enterprise Edition releases listed in the April 2026 CPU
  • Limit exposure of APIs that return sensitive data to trusted clients only, ensuring that untrusted calls cannot reach the vulnerable component
  • If feasible, isolate the Java runtime in a segregated environment and restrict network access to services relying on the affected component

Generated by OpenCVE AI on April 22, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Disclosure via Java APIs in Oracle GraalVM and Java SE Applications openjdk: OpenJDK: Enhance crypto algorithm support (Oracle CPU 2026-04)
Weaknesses CWE-327
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 22 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Disclosure via Java APIs in Oracle GraalVM and Java SE Applications
Weaknesses CWE-200

Wed, 22 Apr 2026 02:00:00 +0000

Type Values Removed Values Added
First Time appeared Oracle graalvm Enterprise Edition
Vendors & Products Oracle graalvm Enterprise Edition

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
First Time appeared Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
CPEs cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*
Vendors & Products Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Oracle Graalvm Graalvm Enterprise Edition Graalvm For Jdk Java Se
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T14:05:28.424Z

Reserved: 2026-01-05T18:07:34.726Z

Link: CVE-2026-22007

cve-icon Vulnrichment

Updated: 2026-04-22T14:05:25.565Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-21T21:16:26.440

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-22007

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-21T20:00:00Z

Links: CVE-2026-22007 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:15:16Z

Weaknesses