CVE-2026-34291 - Vulnerability Details

- Unauthenticated Remote Access and Data Modification via Oracle HTTP Server Vulnerability

Description

Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. While the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).

Published: 2026-04-21

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Oracle HTTP Server versions 12.2.1.4.0 and 14.1.2.0.0 contain a CWE-284 Improper Access Control vulnerability that allows an unauthenticated attacker with network access via HTTP to create, delete, or modify critical data and gain unauthorized access to all data accessible by the server. Successful exploitation can lead to significant confidentiality and integrity violations, and the vulnerability may extend its impact to related products.

Affected Systems

The affected products are Oracle HTTP Server 12.2.1.4.0 and 14.1.2.0.0 as part of Oracle Fusion Middleware. The advisory indicates that any installation of these versions running an external HTTP interface is vulnerable.

Risk and Exploitability

The CVSS base score is 8.7, with network availability, high attack complexity, and no privilege or user interaction required. The EPSS score is not available and the vulnerability is not currently listed in the CISA KEV catalog. Because no public exploit is known, the potential for exploitation depends on the exposure of the HTTP server to the internet, but the high impact score indicates severe risk if discovered and exploited.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle HTTP Server

affected

Version	Status	Constraints
`12.2.1.4.0`	affected	—
`14.1.2.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Http Server

95%

Version	Status	Scheme	Platform
`12.2.1.4.0`	affected	generic	—
`14.1.2.0.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle HTTP Server patches or upgrade to a non-affected version, following the instructions in Oracle’s security advisory
Restrict network exposure by limiting HTTP server access to trusted IP ranges or applying firewall rules so that the server is not reachable from the open internet
Enable detailed logging of authentication and data modification activity, and routinely monitor logs for suspicious or unauthorized actions

Generated by OpenCVE AI on April 22, 2026 at 05:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 05:30:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated Remote Access and Data Modification via Oracle HTTP Server Vulnerability
Weaknesses		CWE-264 CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. While the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).
First Time appeared		Oracle Oracle http Server
CPEs		cpe:2.3:a:oracle:http_server:12.2.1.4.0:::::::* cpe:2.3:a:oracle:http_server:14.1.2.0.0:::::::*
Vendors & Products		Oracle Oracle http Server
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N'}`

Subscriptions

Oracle Http Server

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:26.218Z

Updated: 2026-04-21T20:35:26.218Z

Reserved: 2026-03-26T19:48:45.677Z

Link: CVE-2026-34291

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:33.950

Modified: 2026-04-21T21:16:33.950

Link: CVE-2026-34291

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T05:15:06Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object