This vulnerability affects Oracle User Management in Oracle E-Business Suite versions 12.2.7 to 12.2.15. It permits a high privileged attacker with network access over HTTP to gain unauthorized update, insert, delete, and read access to certain Oracle User Management data. The CVSS vector (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N) indicates network attack vector, low attack complexity, high privileges required, no user interaction, unchanged scope, and low confidentiality and integrity impacts with no availability impact. The vulnerability stems from insufficient access control mechanisms (CWE-284). Oracle’s April 2026 Critical Patch Update advisory references multiple patches but does not explicitly confirm a patch for this CVE. Customers are advised to apply the latest cumulative patches from Oracle promptly.

Successful exploitation allows unauthorized read and modification (update, insert, delete) of some data accessible via Oracle User Management. The impact is limited to confidentiality and integrity with no availability impact. The CVSS score of 3.8 reflects a low severity vulnerability requiring high privileges to exploit. No known active exploitation has been reported.

Oracle’s April 2026 Critical Patch Update advisory strongly recommends applying the latest cumulative security patches without delay. Although no specific patch for CVE-2026-22014 is explicitly confirmed in the advisory, applying the April 2026 CPU and staying current with Oracle patches is the advised remediation. Customers should ensure they run supported versions and promptly apply Oracle’s Critical Patch Updates. Patch status is not explicitly confirmed for this CVE; therefore, check the vendor advisory regularly for updated remediation guidance.