CVE-2026-22013: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. in Oracle Corporation Oracle Java SE
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
AI Analysis
Technical Summary
CVE-2026-22013 is a vulnerability in the JGSS component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition affecting versions including Java SE 8u481 through 26 and GraalVM versions 17.0.18 and 21.0.10. The flaw allows an unauthenticated attacker with network access via multiple protocols to compromise the affected products by exploiting a scenario that requires user interaction from someone other than the attacker. The vulnerability applies to client-side Java deployments that load and run untrusted code in sandboxed environments, such as Java Web Start applications or applets, relying on the Java sandbox for security. Server-side deployments running only trusted code are not affected. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects a network attack vector with high attack complexity, no privileges required, user interaction required, unchanged scope, and high confidentiality impact without integrity or availability impact. Oracle’s April 2026 Critical Patch Update advisory references this vulnerability among 481 security patches but does not explicitly confirm patch availability for this specific issue, advising customers to apply updates promptly.
Potential Impact
Successful exploitation can lead to unauthorized access to critical or all accessible data within Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition environments. The vulnerability affects confidentiality but does not impact integrity or availability. Exploitation requires network access and user interaction from a third party, making it difficult to exploit. It primarily affects client-side Java deployments running untrusted code in sandboxed environments, not server-side trusted code deployments.
Mitigation Recommendations
Oracle strongly recommends applying the April 2026 Critical Patch Update, which includes security patches addressing this vulnerability among many others. Since the vendor advisory does not explicitly confirm patch availability for this specific vulnerability, users should verify patch status and installation instructions in the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpuapr2026.html. Maintaining up-to-date patches on actively supported versions is the primary mitigation. No alternative mitigations or 'no action required' statements are provided by the vendor.
CVE-2026-22013: Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. in Oracle Corporation Oracle Java SE
Description
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JGSS). Supported versions that are affected are Oracle Java SE: 8u481, 8u481-b50, 8u481-perf, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK: 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition: 21.3.17. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-22013 is a vulnerability in the JGSS component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition affecting versions including Java SE 8u481 through 26 and GraalVM versions 17.0.18 and 21.0.10. The flaw allows an unauthenticated attacker with network access via multiple protocols to compromise the affected products by exploiting a scenario that requires user interaction from someone other than the attacker. The vulnerability applies to client-side Java deployments that load and run untrusted code in sandboxed environments, such as Java Web Start applications or applets, relying on the Java sandbox for security. Server-side deployments running only trusted code are not affected. The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N) reflects a network attack vector with high attack complexity, no privileges required, user interaction required, unchanged scope, and high confidentiality impact without integrity or availability impact. Oracle’s April 2026 Critical Patch Update advisory references this vulnerability among 481 security patches but does not explicitly confirm patch availability for this specific issue, advising customers to apply updates promptly.
Potential Impact
Successful exploitation can lead to unauthorized access to critical or all accessible data within Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition environments. The vulnerability affects confidentiality but does not impact integrity or availability. Exploitation requires network access and user interaction from a third party, making it difficult to exploit. It primarily affects client-side Java deployments running untrusted code in sandboxed environments, not server-side trusted code deployments.
Mitigation Recommendations
Oracle strongly recommends applying the April 2026 Critical Patch Update, which includes security patches addressing this vulnerability among many others. Since the vendor advisory does not explicitly confirm patch availability for this specific vulnerability, users should verify patch status and installation instructions in the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpuapr2026.html. Maintaining up-to-date patches on actively supported versions is the primary mitigation. No alternative mitigations or 'no action required' statements are provided by the vendor.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-01-05T18:07:34.727Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cpuapr2026.html","vendor":"Oracle"}]
Threat ID: 69e7e59e19fe3cd2cdf9f6e8
Added to database: 4/21/2026, 9:01:18 PM
Last enriched: 4/21/2026, 10:18:00 PM
Last updated: 4/22/2026, 6:07:08 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.