Description
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-04-21
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local takeover of Oracle ADF
Action: Patch Immediately
AI Analysis

Impact

A flaw in the ADF Faces component of Oracle Application Development Framework (ADF) enables a low‑privileged user who can log on to the underlying host to compromise the ADF instance. The vulnerability allows the attacker to take control of ADF, affecting confidentiality, integrity, and availability. The weakness is identified as CWE‑284 and is scored with a CVSS v3.1 Base Score of 7.8, indicating high severity.

Affected Systems

Oracle Corporation’s Oracle Application Development Framework (ADF) is affected. The flaw applies to the ADF Faces feature in the supported releases 12.2.1.4.0 and 14.1.2.0.0, which are components of Oracle Fusion Middleware. Systems running these specific versions are vulnerable unless the security update is applied.

Risk and Exploitability

The CVSS score of 7.8 reflects a serious risk level. The EPSS score of less than 1% indicates that the likelihood of exploitation in the wild is low. The vulnerability is not listed in the CISA KEV catalog. However, it requires only low attacker privileges and local execution; any user who can log into the host can readily exploit the flaw to achieve a full takeover of the ADF instance.

Generated by OpenCVE AI on April 28, 2026 at 21:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle CPU April 2026 security update for ADF 12.2.1.4.0 and 14.1.2.0.0 as published in Oracle’s security advisory.
  • Restrict local logon privileges on servers running Oracle ADF to only essential administrative accounts, following the principle of least privilege.
  • Disable or restrict access to unused ADF Faces components or services that are not required for operation to reduce the attack surface.

Generated by OpenCVE AI on April 28, 2026 at 21:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title Low-Privilege Local Vulnerability in Oracle ADF Faces Allows Local Takeover

Mon, 27 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
Title Low‑Privilege Oracle ADF Faces Vulnerability Allows System Takeover
Weaknesses CWE-285

Wed, 22 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Title Low‑Privilege Oracle ADF Faces Vulnerability Allows System Takeover
Weaknesses CWE-285

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle application Development Framework
CPEs cpe:2.3:a:oracle:application_development_framework:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_development_framework:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle application Development Framework
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Application Development Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-02T03:55:32.455Z

Reserved: 2026-04-01T20:03:40.833Z

Link: CVE-2026-35243

cve-icon Vulnrichment

Updated: 2026-04-22T15:20:37.007Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:40.260

Modified: 2026-04-24T16:43:37.050

Link: CVE-2026-35243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:30:26Z

Weaknesses