Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to confidential data
Action: Apply patch
AI Analysis

Impact

This vulnerability resides in the JAXP component of Oracle Java SE and GraalVM products. It permits an unauthenticated attacker with network access to exploit the APIs exposed over various protocols, such as web services, to gain unauthorized access to critical data. The primary impact is confidentiality compromise, as the attacker can read sensitive data stored within the affected applications or the underlying systems.

Affected Systems

The affected products are Oracle Java SE across multiple release streams (8u481, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26, 8u481-b50, 8u481-perf) and Oracle GraalVM distributions (GraalVM for JDK 17.0.18 and 21.0.10, and GraalVM Enterprise Edition 21.3.17). These versions are listed in the CVE advisory and correspond to the CPE strings provided.

Risk and Exploitability

The CVSS 3.1 base score of 7.5 reflects a high risk to confidentiality, with an attack vector of network and no authentication required. Although the EPSS score is not available and the vulnerability is not currently in the CISA KEV catalog, the combination of network reachability and lack of authentication makes exploitation highly feasible. An attacker can construct crafted XML payloads or use other XML-oriented protocols to trigger the JAXP component, potentially exposing sensitive data.

Generated by OpenCVE AI on April 22, 2026 at 05:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patches for all affected Oracle Java SE and GraalVM releases as announced in the Oracle CPU April 2026 advisory
  • If patching cannot be performed immediately, disable external entity processing in the JAXP parser configuration to prevent XML-based attacks
  • Restrict network access to services that expose JAXP endpoints to trusted hosts only

Generated by OpenCVE AI on April 22, 2026 at 05:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-502

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Information Disclosure via JAXP in Oracle Java SE and GraalVM openjdk: OpenJDK: Enhance Path Factories Redux (Oracle CPU 2026-04)
First Time appeared Oracle graalvm Enterprise Edition
Weaknesses CWE-611
Vendors & Products Oracle graalvm Enterprise Edition
References
Metrics threat_severity

None

 threat_severity

Important

Wed, 22 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Information Disclosure via JAXP in Oracle Java SE and GraalVM
Weaknesses CWE-20
CWE-676

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
First Time appeared Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
CPEs cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*
Vendors & Products Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Oracle Graalvm Graalvm Enterprise Edition Graalvm For Jdk Java Se
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T14:12:01.017Z

Reserved: 2026-01-05T18:07:34.728Z

Link: CVE-2026-22016

cve-icon Vulnrichment

Updated: 2026-04-22T14:11:56.711Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:28.470

Modified: 2026-04-22T14:16:34.723

Link: CVE-2026-22016

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-21T20:00:00Z

Links: CVE-2026-22016 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:45:16Z

Weaknesses