Description
Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L).
Published: 2026-04-21
Score: 5.5 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Data Modification and Partial Denial of Service
Action: Patch
AI Analysis

Impact

Oracle Workflow exposes a flaw in the Workflow Loader component that allows an attacker who has already acquired high privileges and can reach the system via HTTP to bypass authorization controls. The vulnerability enables unauthorized insert, update, or delete operations on Workflow data and can also trigger a partial denial of service. The impact is on data integrity and limited service availability.

Affected Systems

Oracle Corporation's Oracle Workflow product, part of Oracle E‑Business Suite, is affected in the versions spanning 12.2.3 through 12.2.15. The flaw exists in the Workflow Loader component of these releases. Systems running any of these versions should be verified for the presence of the loader module.

Risk and Exploitability

The CVSS 3.1 base score of 5.5 indicates moderate severity with low to moderate impact on integrity and availability. The attack requires network connectivity to the affected HTTP interface and that the attacker already holds high privileges in the system, thereby limiting the likelihood but still offering significant risk. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending crafted HTTP requests to the Workflow Loader endpoint, achieving unauthorized data manipulation and a partial denial of service.

Generated by OpenCVE AI on April 22, 2026 at 04:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle CPU Apr 2026 patch for Oracle Workflow (versions 12.2.3‑12.2.15) to fix the authorization bypass in the Workflow Loader component.
  • Restrict direct HTTP access to the Workflow Loader service by implementing firewall rules or VPN restrictions so that only trusted hosts can reach the endpoint.
  • Disable or limit the use of the Workflow Loader feature if it is not essential, and re‑configure it to run under a least‑privilege account whenever possible.

Generated by OpenCVE AI on April 22, 2026 at 04:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title Authorization Bypass in Oracle Workflow Allows Unauthorized Data Modification and Partial Denial of Service
Weaknesses CWE-284
CWE-285

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Authorization Bypass in Oracle Workflow Allows Unauthorized Data Modification and Partial Denial of Service
Weaknesses CWE-284
CWE-285

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L).
First Time appeared Oracle
Oracle workflow
CPEs cpe:2.3:a:oracle:workflow:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle workflow
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L'}

Subscriptions

Oracle Workflow
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-21T20:35:32.038Z

Reserved: 2026-03-26T19:48:45.678Z

Link: CVE-2026-34302

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:35.410

Modified: 2026-04-21T21:16:35.410

Link: CVE-2026-34302

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:00:09Z

Weaknesses

No weakness.