CVE-2026-21999: Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise XML Database. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all XML Database accessible data. in Oracle Corporation Oracle Database Server
Vulnerability in the XML Database component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise XML Database. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all XML Database accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
AI Analysis
Technical Summary
This vulnerability affects the XML Database component of Oracle Database Server versions 23.4.0 to 23.26.1. It permits an unauthenticated attacker with network access over HTTPS to compromise the XML Database, potentially resulting in unauthorized access to critical or all XML Database data. Successful exploitation requires user interaction from a third party. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates network attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, high confidentiality impact, and no impact on integrity or availability. Oracle’s April 2026 Critical Patch Update advisory references multiple patches across products but does not explicitly confirm a patch for this specific vulnerability. Oracle recommends applying the latest Critical Patch Update to address this and other vulnerabilities.
Potential Impact
Successful exploitation can lead to unauthorized access to critical or all data accessible via the XML Database component of Oracle Database Server. There is no impact on data integrity or availability. The attack requires network access via HTTPS and user interaction from a person other than the attacker, making exploitation difficult. No known exploits in the wild have been reported. The confidentiality impact is high, but overall severity is medium based on the CVSS score of 5.3.
Mitigation Recommendations
Oracle’s April 2026 Critical Patch Update advisory strongly recommends applying the latest patches promptly. Although the advisory does not explicitly confirm a patch for CVE-2026-21999, it is part of the cumulative security updates. Customers should review the April 2026 Critical Patch Update documentation and apply all relevant patches for Oracle Database Server versions 23.4.0 through 23.26.1. Until patches are applied, limiting network exposure of the XML Database component and educating users to avoid interacting with suspicious content may reduce risk. Patch status is not yet explicitly confirmed for this vulnerability; check Oracle’s advisory for current remediation guidance.
CVE-2026-21999: Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise XML Database. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all XML Database accessible data. in Oracle Corporation Oracle Database Server
Description
Vulnerability in the XML Database component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise XML Database. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all XML Database accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects the XML Database component of Oracle Database Server versions 23.4.0 to 23.26.1. It permits an unauthenticated attacker with network access over HTTPS to compromise the XML Database, potentially resulting in unauthorized access to critical or all XML Database data. Successful exploitation requires user interaction from a third party. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates network attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, high confidentiality impact, and no impact on integrity or availability. Oracle’s April 2026 Critical Patch Update advisory references multiple patches across products but does not explicitly confirm a patch for this specific vulnerability. Oracle recommends applying the latest Critical Patch Update to address this and other vulnerabilities.
Potential Impact
Successful exploitation can lead to unauthorized access to critical or all data accessible via the XML Database component of Oracle Database Server. There is no impact on data integrity or availability. The attack requires network access via HTTPS and user interaction from a person other than the attacker, making exploitation difficult. No known exploits in the wild have been reported. The confidentiality impact is high, but overall severity is medium based on the CVSS score of 5.3.
Mitigation Recommendations
Oracle’s April 2026 Critical Patch Update advisory strongly recommends applying the latest patches promptly. Although the advisory does not explicitly confirm a patch for CVE-2026-21999, it is part of the cumulative security updates. Customers should review the April 2026 Critical Patch Update documentation and apply all relevant patches for Oracle Database Server versions 23.4.0 through 23.26.1. Until patches are applied, limiting network exposure of the XML Database component and educating users to avoid interacting with suspicious content may reduce risk. Patch status is not yet explicitly confirmed for this vulnerability; check Oracle’s advisory for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-01-05T18:07:34.724Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cpuapr2026.html","vendor":"Oracle"}]
Threat ID: 69e7e59b19fe3cd2cdf9f60e
Added to database: 4/21/2026, 9:01:15 PM
Last enriched: 4/21/2026, 10:19:22 PM
Last updated: 4/22/2026, 6:00:09 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.