CVE-2026-34324 - Vulnerability Details

- Unauthenticated HTTP Access Control Flaw in Oracle Life Sciences InForm

Description

Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: App Server). Supported versions that are affected are 7.0.1.0 and 7.0.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences InForm. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences InForm accessible data as well as unauthorized read access to a subset of Oracle Life Sciences InForm accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

Published: 2026-04-21

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

An unauthenticated attacker with network access over HTTP can exploit a flaw in the Oracle Life Sciences InForm application server to perform privileged operations, allowing insert, update, or delete actions on data and read access to a subset of data. The resulting impact is a degradation of confidentiality and integrity, as reflected by the CVSS 3.1 base score of 6.5.

Affected Systems

The affected products are Oracle Life Sciences InForm, version 7.0.1.0 and 7.0.1.1. The flaw resides in the App Server component of the Life Sciences InForm product suite.

Risk and Exploitability

The CVSS Base Score of 6.5 indicates a moderate threat, with Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, and User Interaction: None. Because the vulnerability is triggered by unauthenticated HTTP requests, any host with network access can exploit it without prior compromise. EPSS is not available and the vulnerability is not listed in CISA KEV, but the straightforward network exposure demands remediation to prevent potential data loss.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Life Sciences InForm

affected

Version	Status	Constraints
`7.0.1.0`	affected	—
`7.0.1.1`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Life Sciences Inform

95%

Version	Status	Scheme	Platform
`7.0.1.0`	affected	generic	—
`7.0.1.1`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle Life Sciences InForm patches that address this HTTP remote access vulnerability.
Restrict HTTP access to the InForm App Server by configuring firewalls or network ACLs to allow only trusted hosts and networks.
Monitor application logs for anomalous read or write operations and review database consistency after any detected changes.

Generated by OpenCVE AI on April 22, 2026 at 07:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 07:45:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated HTTP Access Control Flaw in Oracle Life Sciences InForm
Weaknesses		CWE-200

Wed, 22 Apr 2026 05:15:00 +0000

Type	Values Removed	Values Added
Title	Unauthenticated HTTP Remote Access Vulnerability Allowing Data Modification in Oracle Life Sciences InForm
Weaknesses	CWE-284

Wed, 22 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated HTTP Remote Access Vulnerability Allowing Data Modification in Oracle Life Sciences InForm
Weaknesses		CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: App Server). Supported versions that are affected are 7.0.1.0 and 7.0.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences InForm. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences InForm accessible data as well as unauthorized read access to a subset of Oracle Life Sciences InForm accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
First Time appeared		Oracle Oracle life Sciences Inform
CPEs		cpe:2.3:a:oracle:life_sciences_inform:7.0.1.0:::::::* cpe:2.3:a:oracle:life_sciences_inform:7.0.1.1:::::::*
Vendors & Products		Oracle Oracle life Sciences Inform
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Oracle Life Sciences Inform

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:42.273Z

Updated: 2026-04-21T20:35:42.273Z

Reserved: 2026-03-26T19:48:45.682Z

Link: CVE-2026-34324

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:38.080

Modified: 2026-04-21T21:16:38.080

Link: CVE-2026-34324

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T07:30:11Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object