This vulnerability affects the XML Database component of Oracle Database Server versions 23.4.0 to 23.26.1. It permits an unauthenticated attacker with network access over HTTPS to compromise the XML Database, potentially leading to unauthorized access to critical or all accessible XML data. Successful exploitation requires user interaction from a third party. The CVSS vector (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates network attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, and high confidentiality impact without integrity or availability impact. Oracle's April 2026 Critical Patch Update advisory references multiple patches but does not explicitly confirm a patch for this specific vulnerability. No known exploits are reported in the wild.

Successful exploitation can result in unauthorized access to critical or all accessible XML Database data, impacting confidentiality. There is no reported impact on data integrity or availability. The vulnerability requires human interaction and is difficult to exploit, which reduces the likelihood of widespread exploitation. No known active exploits have been reported.

Oracle's April 2026 Critical Patch Update advisory includes numerous patches for Oracle products and strongly recommends applying these updates promptly. However, the advisory does not explicitly confirm a patch for CVE-2026-21999. Therefore, patch status is not yet confirmed—check the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for current remediation guidance. Customers should remain on actively supported versions and apply Critical Patch Updates without delay to mitigate this and other vulnerabilities.