Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Patch
AI Analysis

Impact

The vulnerability resides in the JGSS component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. It allows an unauthenticated attacker with network access via multiple protocols to compromise sandboxed Java Web Start applications or applets that load untrusted code. Successful exploitation can grant unauthorized access to critical data or complete access to all accessible data in the affected Java deployment, though it requires human interaction with a user different from the attacker. The weakness is related to CWE-285, CWE-306, and CWE-319.

Affected Systems

Affected products are Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. The vulnerable versions include Java SE 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26, GraalVM for JDK 17.0.18 and 21.0.10, and GraalVM Enterprise Edition 21.3.17.

Risk and Exploitability

The CVSS v3.1 base score is 5.3, indicating moderate severity, affecting confidentiality only. The EPSS score is currently not available and the vulnerability is not listed in the CISA KEV catalog. Because the vulnerability requires network exposure and human interaction, it is unlikely to be exploited automatically, but valid exploitation may occur if a user runs untrusted Java content. Attackers would typically target client‑side applications that rely on the Java sandbox for security rather than server deployments that run only trusted code.

Generated by OpenCVE AI on April 22, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Oracle's security patches for all affected Java SE and GraalVM versions.
  • Upgrade GraalVM for JDK to the latest release that includes the fix.
  • If patching is delayed, disable or remove Java Web Start and applet support in client environments and audit for untrusted Java code.

Generated by OpenCVE AI on April 22, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
CWE-306

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-693
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Access via Vulnerable JGSS Component in Oracle Java SE and GraalVM openjdk: OpenJDK: Improve Kerberos credentialing (Oracle CPU 2026-04)
Weaknesses CWE-319
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 22 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Access via Vulnerable JGSS Component in Oracle Java SE and GraalVM
Weaknesses CWE-285
CWE-306

Wed, 22 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Oracle graalvm Enterprise Edition
Vendors & Products Oracle graalvm Enterprise Edition

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
First Time appeared Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
CPEs cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*
Vendors & Products Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Oracle Graalvm Graalvm Enterprise Edition Graalvm For Jdk Java Se
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T14:09:54.302Z

Reserved: 2026-01-05T18:07:34.727Z

Link: CVE-2026-22013

cve-icon Vulnrichment

Updated: 2026-04-22T14:09:47.511Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:27.923

Modified: 2026-04-22T14:16:34.210

Link: CVE-2026-22013

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-21T20:00:00Z

Links: CVE-2026-22013 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:15:16Z

Weaknesses