CVE-2026-35262 - Vulnerability Details

Description

Vulnerability in the Oracle Data Integrator product of Oracle Fusion Middleware (component: Market Place). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Data Integrator. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Data Integrator accessible data as well as unauthorized access to critical data or complete access to all Oracle Data Integrator accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Data Integrator. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

Published: 2026-06-16

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Oracle Data Integrator stores and processes sensitive data in Oracle Fusion Middleware. A vulnerability in the Market Place component allows an attacker with low privileges and network access over HTTP to bypass authentication controls and create, delete, or modify data. The flaw also enables a partial denial of service that disrupts availability. The weakness is an example of incorrect authorization (CWE‑862).

Affected Systems

Vulnerable releases include Oracle Data Integrator 12.2.1.4.0 and 14.1.2.0.0. These versions are deployed in many enterprise environments that use Oracle Fusion Middleware for integration tasks. All installations of these versions that expose the Market Place interface are affected.

Risk and Exploitability

The CVSS 3.1 base score of 8.3 reflects high impact to confidentiality, integrity, and availability. The EPSS score of less than 1% indicates that the exploit is currently uncommon, but the vulnerability is described as easily exploitable, so it remains a significant risk. The flaw is not listed in CISA’s KEV catalog. Attackers can exploit the flaw remotely over HTTP, requiring only low‑privilege credentials, and can gain unauthorized manipulation of critical data or cause a partial denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Data Integrator

affected

Version	Status	Constraints
`12.2.1.4.0`	affected	—
`14.1.2.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Data Integrator

95%

Version	Status	Scheme	Platform
`[12.2.1.4.0,12.2.1.4.0]`	affected	generic	—
`[14.1.2.0.0,14.1.2.0.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle security patch for Data Integrator 12.2.1.4.0 and 14.1.2.0.0, as detailed in the Oracle security alert.
Restrict HTTP access to the Market Place component by implementing network segmentation or firewall rules to allow only trusted hosts.
Enforce strong authentication and least privilege for all users accessing Oracle Data Integrator, and audit permissions regularly to ensure proper authorization controls.

Generated by OpenCVE AI on June 17, 2026 at 21:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00419.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Data Integrator product of Oracle Fusion Middleware (component: Market Place). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Data Integrator. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Data Integrator accessible data as well as unauthorized access to critical data or complete access to all Oracle Data Integrator accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Data Integrator. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).
First Time appeared		Oracle Oracle data Integrator
CPEs		cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:::::::* cpe:2.3:a:oracle:data_integrator:14.1.2.0.0:::::::*
Vendors & Products		Oracle Oracle data Integrator
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L'}`

Subscriptions

Oracle Data Integrator

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:26:54.710Z

Updated: 2026-06-17T14:30:36.801Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35262

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T21:30:16Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object