Description
Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Configurator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Configurator accessible data as well as unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-04-21
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Modification and Confidentiality Violation
Action: Immediate Patch
AI Analysis

Impact

Oracle Configurator allows an unauthenticated attacker with network access via HTTP to perform unauthorized update, insert, or delete operations on data that the configurator can access, and to read a subset of that data. The vulnerability stems from improper access control in the User Interface component, enabling actions normally reserved for authenticated users. This weakness can lead to integrity and confidentiality breaches within the affected applications. Based on the description, it is inferred that the root cause is improper access control in the User Interface component, although the official description does not explicitly state this.

Affected Systems

The flaw affects Oracle Configurator versions 12.2.3 through 12.2.15. A user of Oracle E‑Business Suite relying on these configurations is exposed.

Risk and Exploitability

The CVSS v3.1 base score of 6.1 reflects moderate severity with low confidentiality and integrity impact on the target system. The EPSS score is currently unavailable, and the vulnerability is not listed in CISA’s KEV catalog. Attacks require network connectivity to the configurator’s HTTP endpoint and the presence of a human actor other than the attacker to accept or act upon the changes. Given that the attack can modify or expose data, the threat remains significant for organizations using these versions. The requirement of a human actor other than the attacker is inferred from the stated need for human interaction in successful attacks.

Generated by OpenCVE AI on April 22, 2026 at 06:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle configuration update released in the April 2026 CPU advisory
  • Narrow inbound HTTP access to the Configurator to trusted IP ranges or internal network segments
  • Configure or enforce multi‑factor authentication for the Configurator user interface to mitigate unauthorized access

Generated by OpenCVE AI on April 22, 2026 at 06:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Allows Data Modification in Oracle Configurator
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Configurator, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Configurator accessible data as well as unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle configurator
CPEs cpe:2.3:a:oracle:configurator:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle configurator
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Configurator
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:51:12.981Z

Reserved: 2026-03-26T19:48:45.675Z

Link: CVE-2026-34274

cve-icon Vulnrichment

Updated: 2026-04-22T13:50:57.900Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T21:16:31.390

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-34274

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T06:45:10Z

Weaknesses