Description
Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Knowledge Integration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HCM Common Architecture. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle HCM Common Architecture accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Oracle HCM Common Architecture allows an unauthenticated attacker who can reach the HTTP interface to bypass authentication and gain unauthorized access to all data accessible through the system. Successful exploitation may result in the disclosure of critical data. The CVSS vector indicates a high confidentiality impact (C:H).

Affected Systems

Affected product is Oracle HCM Common Architecture, part of Oracle E-Business Suite. Versions 12.2.3 through 12.2.15 are affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score of < 1% indicates a very low exploitation probability, although the vulnerability is described as easily exploitable. It is not listed in the CISA KEV catalog. The attack vector is likely an unauthenticated HTTP request to the service, with no user privileges required. Because the data can be read and accessed in full, the confidentiality risk is significant.

Generated by OpenCVE AI on April 28, 2026 at 16:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle E-Business Suite HCM Common Architecture patches released on CPU April 2026 to remediate the vulnerability.
  • Restrict network access to Oracle HCM Common Architecture to trusted IP ranges or internal networks using firewall rules or network segmentation.
  • Monitor access logs and set up alerts for suspicious HTTP traffic targeting the HCM services.

Generated by OpenCVE AI on April 28, 2026 at 16:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Vulnerability in Oracle HCM Common Architecture

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Allows Unauthorized Data Retrieval in Oracle HCM Common Architecture
Weaknesses CWE-284
CWE-290

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Allows Unauthorized Data Retrieval in Oracle HCM Common Architecture
Weaknesses CWE-284
CWE-290

Wed, 22 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Access to Oracle HCM Common Architecture
Weaknesses CWE-200
CWE-284

Wed, 22 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Access to Oracle HCM Common Architecture
Weaknesses CWE-200
CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Knowledge Integration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HCM Common Architecture. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle HCM Common Architecture accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
First Time appeared Oracle
Oracle hcm Common Architecture
CPEs cpe:2.3:a:oracle:hcm_common_architecture:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle hcm Common Architecture
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Oracle Hcm Common Architecture
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:36:56.804Z

Reserved: 2026-03-26T19:48:45.678Z

Link: CVE-2026-34297

cve-icon Vulnrichment

Updated: 2026-04-22T13:36:48.493Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:34.743

Modified: 2026-04-23T18:10:28.700

Link: CVE-2026-34297

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:15:20Z

Weaknesses