CVE-2026-35244 - Vulnerability Details

- Unauthorized Data Modification in Oracle Hyperion Infrastructure Technology via HTTP

Description

Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Lifecycle Management). The supported version that is affected is 11.2.24.0.000. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Infrastructure Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Infrastructure Technology accessible data as well as unauthorized read access to a subset of Oracle Hyperion Infrastructure Technology accessible data. CVSS 3.1 Base Score 5.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N).

Published: 2026-04-21

Score: 5.2 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in the Lifecycle Management component of Oracle Hyperion Infrastructure Technology that allows a high‑privileged attacker with HTTP network access to compromise the system. Successful exploitation requires the attacker to obtain high privileges and user interaction from an external person, enabling unauthorized creation, deletion or modification of critical data, or unauthorized read access to a subset of data. The CV of 5.2 highlights impacts on confidentiality and integrity.

Affected Systems

Oracle Corporation’s Hyperion Infrastructure Technology, version 11.2.24.0.000, is affected. No other versions are listed as impacted.

Risk and Exploitability

The risk is moderate (CVSS 5.2). Exploitation is possible over an HTTP interface, requiring a high‑privileged user and human interaction from a person other than the attacker, implying a social engineering component. The EPSS score is not available and the vulnerability is not listed in CISA KEV, suggesting a lower likelihood of widespread exploitation at present.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Hyperion Infrastructure Technology

affected

Version	Status	Constraints
`11.2.24.0.000`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Oracle patch released in the April 2026 CPU to version 11.2.24.0.000.
Restrict HTTP access to Hyperion servers to trusted internal networks only, blocking external IPs.
Enable detailed auditing on data creation, deletion, and modification events, and monitor logs for unusual activity.

Generated by OpenCVE AI on April 22, 2026 at 04:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 05:00:00 +0000

Type	Values Removed	Values Added
Title		Unauthorized Data Modification in Oracle Hyperion Infrastructure Technology via HTTP
Weaknesses		CWE-250 CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Lifecycle Management). The supported version that is affected is 11.2.24.0.000. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Infrastructure Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Infrastructure Technology accessible data as well as unauthorized read access to a subset of Oracle Hyperion Infrastructure Technology accessible data. CVSS 3.1 Base Score 5.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N).
First Time appeared		Oracle Oracle hyperion Infrastructure Technology
CPEs		cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.2.24.0.000:::::::*
Vendors & Products		Oracle Oracle hyperion Infrastructure Technology
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 5.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N'}`

Subscriptions

Oracle Hyperion Infrastructure Technology

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:50.742Z

Updated: 2026-04-21T20:35:50.742Z

Reserved: 2026-04-01T20:03:40.833Z

Link: CVE-2026-35244

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:40.400

Modified: 2026-04-21T21:16:40.400

Link: CVE-2026-35244

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T04:45:09Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object