CVE-2026-34279 - Vulnerability Details

- Event Management Remote Platform Compromise in Oracle Enterprise Manager Base Platform (13.5/24.1)

Description

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Published: 2026-04-21

Score: 9.1 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An easily exploitable flaw in the Event Management component of Oracle Enterprise Manager Base Platform allows an attacker who already possesses high privileges and can reach the system over a network to take over the platform. The vulnerability can lead to the compromise of confidentiality, integrity, and availability of the affected system.

Affected Systems

Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 are affected.

Risk and Exploitability

The CVSS base score of 9.1 indicates a very high severity. The exploit vector is network-based HTTP access, although the attacker must already hold high privileges. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, but the high score and known impact suggest it is likely to be targeted by sophisticated threat actors.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Enterprise Manager Base Platform

affected

Version	Status	Constraints
`13.5`	affected	—
`24.1`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Enterprise Manager Base Platform

95%

Version	Status	Scheme	Platform
`13.5`	affected	generic	—
`24.1`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle Enterprise Manager Base Platform patch or upgrade to a non‑affected version.
Restrict HTTP access to the Event Management component by configuring firewalls or network segmentation to limit who can reach the vulnerable interfaces.
Disable or remove the Event Management feature if it is not required for your environment to eliminate the attack surface.

Generated by OpenCVE AI on April 22, 2026 at 05:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 05:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284

Wed, 22 Apr 2026 03:00:00 +0000

Type	Values Removed	Values Added
Title		Event Management Remote Platform Compromise in Oracle Enterprise Manager Base Platform (13.5/24.1)

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle enterprise Manager Base Platform
CPEs		cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5:::::::* cpe:2.3:a:oracle:enterprise_manager_base_platform:24.1:::::::*
Vendors & Products		Oracle Oracle enterprise Manager Base Platform
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Enterprise Manager Base Platform

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:20.053Z

Updated: 2026-04-22T03:56:23.474Z

Reserved: 2026-03-26T19:48:45.675Z

Link: CVE-2026-34279

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:32.180

Modified: 2026-04-21T21:16:32.180

Link: CVE-2026-34279

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T05:15:06Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object