This vulnerability affects Oracle User Management component of Oracle E-Business Suite versions 12.2.7 to 12.2.15. It permits a high privileged attacker with network access over HTTP to gain unauthorized ability to read and modify certain accessible data within Oracle User Management. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N) reflects that the attack requires high privileges but no user interaction, with low confidentiality and integrity impacts and no availability impact. The vulnerability is included in Oracle's April 2026 Critical Patch Update, which addresses numerous security issues across Oracle products. Oracle strongly recommends applying these patches promptly to mitigate this and other vulnerabilities.

Successful exploitation allows unauthorized read and modification (update, insert, delete) of some Oracle User Management accessible data by a high privileged attacker with network access via HTTP. The impact is limited to confidentiality and integrity with no availability impact. The CVSS score of 3.8 reflects a low severity level. There are no reports of active exploitation in the wild.

Oracle has released the April 2026 Critical Patch Update which includes security patches addressing this vulnerability. Customers should apply the April 2026 Critical Patch Update promptly to remediate this issue. Oracle strongly recommends remaining on actively-supported versions and applying all Critical Patch Updates without delay. Patch status is confirmed by the vendor advisory at https://www.oracle.com/security-alerts/cpuapr2026.html.