Description
Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: ADPatch). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications DBA, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Applications DBA. CVSS 3.1 Base Score 7.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).
Published: 2026-04-21
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in Oracle Applications DBA’s ADPatch component permits a high‑privileged network attacker to gain control of the DBA interface over HTTP. The vulnerability is a classic authorization bypass (CWE‑284) that, when exploited, can lead to full takeover of database administration functions, compromising confidentiality, integrity, and availability. Successful attacks also risk affecting other Oracle E‑Business Suite components due to the scope change defined in the advisory.

Affected Systems

The affected product is Oracle Corporation’s Oracle Applications DBA component of Oracle E‑Business Suite. Versions 12.2.3 through 12.2.15 are vulnerable. Any installation of these releases that has not yet received the April 2026 CPU update remains at risk.

Risk and Exploitability

The CVSS v3.1 base score is 7.6, indicating high severity with complete confidentiality, integrity, and availability impact. The attack vector is remote (network) via HTTP (AV:N), requires high privileges (PR:H), and needs human interaction from someone other than the attacker (UI:R). EPSS information is not available, and the flaw is not listed in the CISA KEV catalog, yet the combination of remote access and high‑privilege requirement means that an effective exploit would grant an attacker administrative control and potentially extend to other linked products.

Generated by OpenCVE AI on April 22, 2026 at 05:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the April 2026 Oracle CPU patch for Oracle Applications DBA that fixes the ADPatch flaw.
  • Restrict HTTP access to the DBA service to trusted hosts or VPN endpoints, using firewall rules or IP allow lists to reduce exposure to high‑privileged remote connections.
  • Enforce least privilege and strong role‑based access controls for DBA users, ensuring only authenticated database administrators have access and disabling or limiting high‑privileged accounts where feasible.
  • Enable comprehensive logging and audit of DBA operations, and monitor for anomalous activity to detect potential misuse early.

Generated by OpenCVE AI on April 22, 2026 at 05:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title High‑Privilege Remote Takeover via HTTP in Oracle Applications DBA

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: ADPatch). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications DBA, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Applications DBA. CVSS 3.1 Base Score 7.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle applications Dba
Weaknesses CWE-284
CPEs cpe:2.3:a:oracle:applications_dba:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle applications Dba
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Oracle Applications Dba
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T03:56:20.912Z

Reserved: 2026-01-05T18:07:34.727Z

Link: CVE-2026-22011

cve-icon Vulnrichment

Updated: 2026-04-21T22:46:15.856Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:27.740

Modified: 2026-04-21T23:16:19.620

Link: CVE-2026-22011

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:30:09Z

Weaknesses