Description
Vulnerability in Oracle Fusion Middleware (component: Dynamic Monitoring Service). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Fusion Middleware. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Fusion Middleware, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Fusion Middleware accessible data as well as unauthorized read access to a subset of Oracle Fusion Middleware accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-04-21
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: Unauthorized Data Modification and Disclosure
Action: Immediate Patch
AI Analysis

Impact

Vulnerability in the Dynamic Monitoring Service of Oracle Fusion Middleware allows a low‑privileged attacker with network access to HTTP to obtain unauthorized read, insert, update, or delete access to data that the middleware exposes when the attacker can reach a user other than themselves. The weakness stems from insufficient access control and privilege checks, enabling the attacker to bypass expected restrictions. This can lead to confidentiality and integrity issues on sensitive data managed by the middleware.

Affected Systems

Oracle Corporation’s Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0 are affected. These versions include the Dynamic Monitoring Service component that the flaw exploits.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The attack vector is network‑based over HTTP, with low effort and local privileges, but it still requires the attacker to interact with an additional human user. The EPSS score is not available, so the likelihood of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalogue. Nevertheless, because successful exploitation can change, delete, or read data, the potential impact on confidentiality and integrity warrants swift action. In addition, the vulnerability’s scope change means attackers could affect other Oracle products beyond Fusion Middleware.

Generated by OpenCVE AI on April 22, 2026 at 04:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle Fusion Middleware patch that addresses the Dynamic Monitoring Service access control flaw.
  • Restrict inbound HTTP traffic to the Dynamic Monitoring Service using network firewalls or access control lists, limiting exposure to trusted IP ranges.
  • Disable or harden the Dynamic Monitoring Service if it is not required for operation, removing the attacker surface area.

Generated by OpenCVE AI on April 22, 2026 at 04:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Modification via Oracle Fusion Middleware Dynamic Monitoring Service
Weaknesses CWE-284
CWE-285

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in Oracle Fusion Middleware (component: Dynamic Monitoring Service). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Fusion Middleware. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Fusion Middleware, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Fusion Middleware accessible data as well as unauthorized read access to a subset of Oracle Fusion Middleware accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle fusion Middleware
CPEs cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:fusion_middleware:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle fusion Middleware
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Fusion Middleware
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-21T20:35:45.335Z

Reserved: 2026-04-01T20:03:40.833Z

Link: CVE-2026-35232

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T21:16:38.847

Modified: 2026-04-21T21:16:38.847

Link: CVE-2026-35232

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:00:09Z

Weaknesses