Description
Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: App Server). Supported versions that are affected are 7.0.1.0 and 7.0.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences InForm. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences InForm accessible data as well as unauthorized read access to a subset of Oracle Life Sciences InForm accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data modification and disclosure
Action: Apply Update
AI Analysis

Impact

An unauthenticated attacker who can reach the Oracle Life Sciences InForm application over HTTP can exploit a flaw in the application server that bypasses access controls. The flaw allows unauthorized insert, update, or delete operations and restricted read access to InForm data. The weakness is classified as CWE‑284, causing a degradation of confidentiality and integrity reflected by a CVSS 3.1 base score of 6.5.

Affected Systems

Oracle Life Sciences InForm, versions 7.0.1.0 and 7.0.1.1 are known to be affected. The vulnerability resides in the App Server component of the product.

Risk and Exploitability

The CVSS base score of 6.5, with Network access and no required privileges, indicates a moderate threat. EPSS < 1% suggests a very low but nonzero chance of exploitation. The issue is not part of the CISA KEV catalog. Because the flaw is triggered by unauthenticated HTTP requests, any host that can reach the InForm server is a potential attack target, emphasizing the need for mitigations.

Generated by OpenCVE AI on April 28, 2026 at 21:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patches or updates for Oracle Life Sciences InForm once released to address the HTTP access control issue.
  • Restrict HTTP access to the InForm application server to trusted IP ranges using firewalls or network ACLs to limit unauthenticated network exposure.
  • Monitor application logs and database activity for unauthorized read/write operations, and verify role‐based access controls on HTTP endpoints to enforce proper authorization.

Generated by OpenCVE AI on April 28, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Control Bypass in Oracle Life Sciences InForm

Tue, 28 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Control Flaw in Oracle Life Sciences InForm
Weaknesses CWE-200

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 07:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Control Flaw in Oracle Life Sciences InForm
Weaknesses CWE-200

Wed, 22 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Access Vulnerability Allowing Data Modification in Oracle Life Sciences InForm
Weaknesses CWE-284

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Access Vulnerability Allowing Data Modification in Oracle Life Sciences InForm
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Life Sciences InForm product of Oracle Life Science Applications (component: App Server). Supported versions that are affected are 7.0.1.0 and 7.0.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences InForm. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences InForm accessible data as well as unauthorized read access to a subset of Oracle Life Sciences InForm accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
First Time appeared Oracle
Oracle life Sciences Inform
CPEs cpe:2.3:a:oracle:life_sciences_inform:7.0.1.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:life_sciences_inform:7.0.1.1:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle life Sciences Inform
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Oracle Life Sciences Inform
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T15:34:32.777Z

Reserved: 2026-03-26T19:48:45.682Z

Link: CVE-2026-34324

cve-icon Vulnrichment

Updated: 2026-04-22T15:20:22.245Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:38.080

Modified: 2026-04-23T16:42:50.107

Link: CVE-2026-34324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:30:26Z

Weaknesses