CVE-2026-35229 - Vulnerability Details

- Java VM Component Vulnerability Allows Unauthenticated Access to Database Data via Oracle Net

Description

Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Published: 2026-04-21

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in the Java VM component of Oracle Database Server. An attacker who can reach the server over Oracle Net, without authentication, can exploit the weakness to compromise the Java VM. Successful attacks can provide unauthorized access to critical data stored in the database or to any data that the Java VM can retrieve, resulting in a significant breach of confidentiality.

Affected Systems

Oracle Corporation’s Oracle Database Server is affected. Versions 19c from 19.3 through 19.30 and 21c from 21.3 through 21.21 contain the vulnerable Java VM component.

Risk and Exploitability

The CVSS 3.1 base score of 7.5 highlights a high confidentiality impact. The attack vector is network-based via Oracle Net, requires no authentication, and an attacker can launch the exploit with low effort. The EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, but the public documentation of the issue indicates that it can be exploited in the wild. Organizations should treat it as a significant risk until a patch is applied.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Database Server

affected

Version	Status	Constraints
`19.3`	affected	≤ 19.30
`21.3`	affected	≤ 21.21

No data.

Vendor Product Confidence Versions

Oracle

Database - Java Vm

90%

Version	Status	Scheme	Platform
`—`	affected	—	—

Oracle

Database Server

95%

Version	Status	Scheme	Platform
`[19.3,19.30]`	affected	generic	—
`[21.3,21.21]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply any available Oracle patches for the Java VM component in versions 19.3‑19.30 and 21.3‑21.21 as soon as they are released.
Restrict Oracle Net access to trusted hosts only using firewall or ACL rules to reduce unauthenticated network reach.
If the Java VM functionality is not required, disable or remove it from the database instance to eliminate the attack surface.
Continuously monitor database and network logs for anomalous Oracle Net connections or unexpected Java VM activity and investigate promptly.

Generated by OpenCVE AI on April 22, 2026 at 04:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 07:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oracle database Server
Vendors & Products		Oracle database Server

Wed, 22 Apr 2026 05:15:00 +0000

Type	Values Removed	Values Added
Title		Java VM Component Vulnerability Allows Unauthenticated Access to Database Data via Oracle Net

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
First Time appeared		Oracle Oracle database - Java Vm
CPEs		cpe:2.3:a:oracle:database_-_java_vm::::::::
Vendors & Products		Oracle Oracle database - Java Vm
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Oracle Database - Java Vm Database Server

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:43.259Z

Updated: 2026-04-21T20:35:43.259Z

Reserved: 2026-04-01T20:03:40.833Z

Link: CVE-2026-35229

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:38.440

Modified: 2026-04-21T21:16:38.440

Link: CVE-2026-35229

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T06:45:10Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object