Description
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Confidentiality impact
Action: Patch immediately
AI Analysis

Impact

A remote attacker who can reach the Oracle Financial Services Analytical Applications Infrastructure application over HTTP can exploit a vulnerability that does not require any authentication. Exploitation gives the attacker access to confidential data housed in the environment, potentially allowing full read access to all data that the instance is allowed to serve. The weakness is due to improper access control (CWE‑284), reflected in a CVSS 3.1 score of 7.5, with a high confidentiality impact and no impact to integrity or availability.

Affected Systems

Oracle Financial Services Analytical Applications Infrastructure for the Platform component. The versions affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. These are the supported releases listed by Oracle as vulnerable.

Risk and Exploitability

The vulnerability is exploitable over a network link via ordinary HTTP traffic, with no user interaction or special privileges required. The CVSS score of 7.5 signals a high-risk exposure, and the EPSS score of < 1% indicates a very low exploitation probability. The lack of a KEV listing does not diminish the likelihood of exploitation by malicious actors. The likely attack vector is a remote connection to the application’s HTTP endpoint.

Generated by OpenCVE AI on April 28, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch for the affected versions released in the April 2026 CPU advisory.
  • If patching cannot be applied immediately, restrict HTTP access to the application by firewalling it so that only trusted hosts can reach the interface.
  • Enable detailed logging for HTTP requests to the application and monitor for unexpected or unauthorized access attempts.

Generated by OpenCVE AI on April 28, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Access Vulnerability in Oracle Financial Services Analytical Applications Infrastructure

Mon, 27 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Confidentiality Exposure in Oracle Financial Services Analytical Applications Infrastructure
Weaknesses CWE-285

Thu, 23 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.9.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.7.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.5.0:*:*:*:*:*:*:*

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Confidentiality Exposure in Oracle Financial Services Analytical Applications Infrastructure
Weaknesses CWE-285

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
First Time appeared Oracle
Oracle financial Services Analytical Applications Infrastructure
CPEs cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7.9:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.8.7:*:*:*:*:*:*:*
cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.1.2.5:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle financial Services Analytical Applications Infrastructure
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Oracle Financial Services Analytical Applications Infrastructure
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:48:26.552Z

Reserved: 2026-01-05T18:07:34.727Z

Link: CVE-2026-22010

cve-icon Vulnrichment

Updated: 2026-04-22T13:46:33.027Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:27.550

Modified: 2026-04-23T15:02:40.380

Link: CVE-2026-22010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:30:26Z

Weaknesses