CVE-2026-22014 - Vulnerability Details

Description

Vulnerability in the Oracle User Management product of Oracle E-Business Suite (component: Workflow and Business Events). Supported versions that are affected are 12.2.7-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle User Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle User Management accessible data as well as unauthorized read access to a subset of Oracle User Management accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).

Published: 2026-04-21

Score: 3.8 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw resides in the Workflow and Business Events component of Oracle User Management. A high‑privileged attacker who can reach the service over HTTP can perform unauthorized updates, inserts, deletes or reads on data that should be protected. The impact is limited to confidentiality and integrity; availability is not affected.

Affected Systems

Oracle Corporation’s Oracle User Management product in the E‑Business Suite, specifically versions 12.2.7 through 12.2.15.

Risk and Exploitability

CVSS v3.1 base score of 3.8 indicates low severity. EPSS score is not available and the issue is not in the CISA KEV catalog, implying a low likelihood of exploitation in the wild. The attack vector is network‑based (HTTP). The vulnerability is easily exploitable for users who already possess high privileges on the targeted instance.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle User Management

affected

Version	Status	Constraints
`12.2.7`	affected	≤ 12.2.15

No data.

Vendor Product Confidence Versions

Oracle

User Management

95%

Version	Status	Scheme	Platform
`[12.2.7,12.2.15]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle patch for Oracle User Management that addresses the Workflow and Business Events vulnerability
Restrict HTTP access to the Oracle User Management endpoints to trusted network segments or users
Disable or remove Workflow and Business Events functionality if it is not required in your environment

Generated by OpenCVE AI on April 22, 2026 at 07:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00025.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 07:30:00 +0000

Type	Values Removed	Values Added
Title	Oracle User Management Unauthorized Data Modification via Workflow Events
Weaknesses		CWE-284

Wed, 22 Apr 2026 05:30:00 +0000

Type	Values Removed	Values Added
Title	Oracle User Management Privilege Escalation via Workflow and Business Events	Oracle User Management Unauthorized Data Modification via Workflow Events
Weaknesses	CWE-284

Wed, 22 Apr 2026 03:15:00 +0000

Type	Values Removed	Values Added
Title		Oracle User Management Privilege Escalation via Workflow and Business Events
Weaknesses		CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle User Management product of Oracle E-Business Suite (component: Workflow and Business Events). Supported versions that are affected are 12.2.7-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle User Management. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle User Management accessible data as well as unauthorized read access to a subset of Oracle User Management accessible data. CVSS 3.1 Base Score 3.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).
First Time appeared		Oracle Oracle user Management
CPEs		cpe:2.3:a:oracle:user_management::::::::
Vendors & Products		Oracle Oracle user Management
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 3.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Oracle User Management

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:09.266Z

Updated: 2026-04-21T20:35:09.266Z

Reserved: 2026-01-05T18:07:34.727Z

Link: CVE-2026-22014

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:28.140

Modified: 2026-04-21T21:16:28.140

Link: CVE-2026-22014

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T07:15:11Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object