Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
Published: 2026-04-21
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Assess Impact
AI Analysis

Impact

A vulnerability in the Security component of Oracle Java SE, Oracle GraalVM for JDK and Oracle GraalVM Enterprise Edition allows an unauthenticated attacker who can log on to the infrastructure where the product runs to read a subset of data that the application or Java process can access. The flaw is triggered by calls to vulnerable APIs, such as those exposed by web services or by sandboxed Java Web Start applications or applets that load untrusted code. The CVSS v3.1 vector indicates a low confidentiality impact (C = Low), with no identified integrity or availability consequences.

Affected Systems

Affected releases are Oracle Java SE versions 8u481 (and variants 8u481‑b50, 8u481‑perf), 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK 17.0.18 and 21.0.10; and Oracle GraalVM Enterprise Edition 21.3.17. All listed versions run the vulnerable Security component.

Risk and Exploitability

The CVSS base score of 2.9 classifies the vulnerability as low severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker already have logon to the infrastructure where the product executes; no public remote exploitation path is documented in the available information. Consequently, the risk is limited to situations where local infrastructure access is possible, but the potential to read confidential application data remains a concern.

Generated by OpenCVE AI on April 22, 2026 at 15:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Oracle’s patch or upgrade to a non‑affected release as detailed in the advisory at https://www.oracle.com/security-alerts/cpuapr2026.html
  • Restrict exposure of the vulnerable APIs by limiting network access to services that expose them and enforce least‑privilege on local accounts
  • Monitor application and network logs for suspicious API calls or unauthorized read attempts and respond promptly to anomalies

Generated by OpenCVE AI on April 22, 2026 at 15:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Access via Insecure APIs in Oracle Java SE and GraalVM openjdk: OpenJDK: Enhance key generation (Oracle CPU 2026-04)
Weaknesses CWE-327
References
Metrics threat_severity

None

 threat_severity

Low

Wed, 22 Apr 2026 05:30:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Access via Insecure APIs in Oracle Java SE and GraalVM
Weaknesses CWE-200

Wed, 22 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Oracle graalvm Enterprise Edition
Vendors & Products Oracle graalvm Enterprise Edition

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition executes to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 2.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N).
First Time appeared Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
CPEs cpe:2.3:a:oracle:graalvm:21.3.17:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:graalvm_for_jdk:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:*:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:11.0.30:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:17.0.18:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:21.0.10:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:25.0.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:26:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:*:*:*:*
cpe:2.3:a:oracle:java_se:8u481:*:*:*:enterprise_performance:*:*:*
Vendors & Products Oracle
Oracle graalvm
Oracle graalvm For Jdk
Oracle java Se
References
Metrics cvssV3_1

{'score': 2.9, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Oracle Graalvm Graalvm Enterprise Edition Graalvm For Jdk Java Se
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:55:11.210Z

Reserved: 2026-03-26T19:48:45.674Z

Link: CVE-2026-34268

cve-icon Vulnrichment

Updated: 2026-04-22T13:55:03.818Z

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:30.353

Modified: 2026-04-22T14:16:55.270

Link: CVE-2026-34268

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-21T20:00:00Z

Links: CVE-2026-34268 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T15:15:16Z

Weaknesses