CVE-2026-34312 - Vulnerability Details

- Unauthorized Read Access via Row Access Method Privilege in Oracle Database Server

Description

Vulnerability in the RDBMS component of Oracle Database Server. Supported versions that are affected are 19.3-19.30. Easily exploitable vulnerability allows high privileged attacker having Row Access Method privilege with network access via multiple protocols to compromise RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of RDBMS accessible data. CVSS 3.1 Base Score 2.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N).

Published: 2026-04-21

Score: 2.4 Low

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in Oracle Database Server’s RDBMS component allows a high‑privileged attacker who already possesses a Row Access Method privilege to read data stored within the database. To succeed the attacker must have network access through any of the supported protocols and the attack requires human interaction with a user other than the attacker. The impact is confined to confidentiality, with no direct effect on integrity or availability.

Affected Systems

Oracle Database Server versions 19.3 up to and including 19.30 are affected. These releases are currently supported and are the only ones identified for this vulnerability.

Risk and Exploitability

The CVSS 3.1 base score of 2.4 indicates a low severity vulnerability that impacts confidentiality only. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, suggesting a limited likelihood of widespread exploitation. The exploit requires both network connectivity and privileged access, and also a second human actor, which further reduces the practical feasibility of an attack. However, in environments where the Row Access Method privilege is granted broadly, the potential for unauthorized read of data remains a concern.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Database Server

affected

Version	Status	Constraints
`19.3`	affected	≤ 19.30

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Oracle Database Server patch that addresses this issue or upgrade to a newer supported version that includes the fix.
Re‑evaluate the assignment of Row Access Method privileges; limit them to the minimum set of users who truly need them and monitor any changes to these privileges.
Disable unnecessary network protocols used to connect to the database and employ network segmentation or firewall rules to restrict exposure to only trusted hosts.
Implement vigilant logging and monitoring of data access patterns to detect potential misuse of authorized privileges.

Generated by OpenCVE AI on April 22, 2026 at 04:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Title		Unauthorized Read Access via Row Access Method Privilege in Oracle Database Server
Weaknesses		CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the RDBMS component of Oracle Database Server. Supported versions that are affected are 19.3-19.30. Easily exploitable vulnerability allows high privileged attacker having Row Access Method privilege with network access via multiple protocols to compromise RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of RDBMS accessible data. CVSS 3.1 Base Score 2.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N).
First Time appeared		Oracle Oracle database - Rdbms
CPEs		cpe:2.3:a:oracle:database_-_rdbms::::::::
Vendors & Products		Oracle Oracle database - Rdbms
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N'}`

Subscriptions

Oracle Database - Rdbms

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:37.341Z

Updated: 2026-04-21T20:35:37.341Z

Reserved: 2026-03-26T19:48:45.680Z

Link: CVE-2026-34312

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:36.650

Modified: 2026-04-21T21:16:36.650

Link: CVE-2026-34312

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T05:00:09Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object