Description
Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Applications Framework. CVSS 3.1 Base Score 4.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
Published: 2026-04-21
Score: 4.7 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized data modification, read, and partial denial of service.
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in the Oracle Applications Framework Personalization component allows a high‑privileged attacker who can reach the application over HTTP to perform unauthorized updates, inserts, deletes, and reads of data accessible through the framework, and to trigger a partial denial of service. The weakness stems from improper access control that can be exploited by an attacker with sufficient privileges, enabling significant integrity, confidentiality, and availability impacts that map to CWE‑284.

Affected Systems

Oracle Corporation Oracle Applications Framework versions 12.2.9 through 12.2.15 are affected. These releases run in Oracle E‑Business Suite environments where the Personalization feature is deployed.

Risk and Exploitability

The CVSS 3.1 base score of 4.7 indicates moderate overall severity. No EPSS score is published, and the vulnerability is not listed in CISA’s KEV catalog. However, the attack vector is network‑based (HTTP) and the workaround is easily applied, so exploitation is considered both feasible and likely for environments with accessible HTTP endpoints and high‑privileged users. Attackers would require high privileges to act, but once achieved, they could compromise data integrity and availability within the framework.

Generated by OpenCVE AI on April 22, 2026 at 02:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle Applications Framework to version 12.2.16 or later, which contains the fix for the vulnerable Personalization component.
  • If an upgrade is not immediately possible, restrict HTTP access to the vulnerable component by placing stricter firewall rules or limiting the service to trusted internal hosts.
  • Enforce least‑privilege access controls so that only essential users have high‑privileged roles within the framework, and monitor for unauthorized data changes.

Generated by OpenCVE AI on April 22, 2026 at 02:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Modification and Partial Denial of Service via Oracle Application Framework Personalization
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Applications Framework product of Oracle E-Business Suite (component: Personalization). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications Framework. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Applications Framework accessible data as well as unauthorized read access to a subset of Oracle Applications Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Applications Framework. CVSS 3.1 Base Score 4.7 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
First Time appeared Oracle
Oracle applications Framework
CPEs cpe:2.3:a:oracle:applications_framework:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle applications Framework
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Oracle Applications Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-21T20:35:30.164Z

Reserved: 2026-03-26T19:48:45.678Z

Link: CVE-2026-34298

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:34.887

Modified: 2026-04-21T21:16:34.887

Link: CVE-2026-34298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T02:30:05Z

Weaknesses