Description
Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Knowledge Integration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HCM Common Architecture. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle HCM Common Architecture accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Published: 2026-04-21
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Unauthorized Data Access
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Oracle HCM Common Architecture allows an unauthenticated attacker who can reach the HTTP interface to bypass authentication and gain unauthorized access to all data accessible through the system. Successful exploitation may result in the disclosure of critical data. The CVSS vector indicates a high confidentiality impact (C:H).

Affected Systems

Affected product is Oracle HCM Common Architecture, part of Oracle E-Business Suite. Versions 12.2.3 through 12.2.15 are affected.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. EPSS information is not available, but the vulnerability is described as easily exploitable, implying a non‑negligible likelihood of exploitation. It is not listed in the CISA KEV catalog. The attack vector is likely an unauthenticated HTTP request to the service, with no user privileges required. Because the data can be read and accessed in full, the confidentiality risk is significant.

Generated by OpenCVE AI on April 22, 2026 at 02:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle E-Business Suite HCM Common Architecture patches released on CPU April 2026 to remediate the vulnerability.
  • Restrict network access to Oracle HCM Common Architecture to trusted IP ranges or internal networks using firewall rules or network segmentation.
  • Monitor access logs and set up alerts for suspicious HTTP traffic targeting the HCM services.

Generated by OpenCVE AI on April 22, 2026 at 02:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Access to Oracle HCM Common Architecture
Weaknesses CWE-200
CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle HCM Common Architecture product of Oracle E-Business Suite (component: Knowledge Integration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HCM Common Architecture. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle HCM Common Architecture accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
First Time appeared Oracle
Oracle hcm Common Architecture
CPEs cpe:2.3:a:oracle:hcm_common_architecture:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle hcm Common Architecture
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Oracle Hcm Common Architecture
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-21T20:35:29.653Z

Reserved: 2026-03-26T19:48:45.678Z

Link: CVE-2026-34297

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:34.743

Modified: 2026-04-21T21:16:34.743

Link: CVE-2026-34297

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:45:05Z

Weaknesses