This vulnerability affects the JAXP component in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition across multiple versions including 8u481, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26. It allows an unauthenticated attacker with network access via multiple protocols to exploit APIs and gain unauthorized access to critical or all accessible data. The vulnerability also impacts Java deployments that run sandboxed Java Web Start applications or applets loading untrusted code relying on the Java sandbox for security. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, and high confidentiality impact. Oracle’s April 2026 Critical Patch Update advisory includes this vulnerability among 481 security patches, but does not explicitly confirm patch availability or remediation level for this specific CVE.

Successful exploitation can lead to unauthorized access to critical or all accessible data within Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition environments. The confidentiality of sensitive information is compromised, but there is no impact on integrity or availability according to the CVSS vector. The vulnerability can be exploited remotely without authentication or user interaction, increasing the risk of data exposure in affected systems.

Oracle’s April 2026 Critical Patch Update advisory includes this vulnerability among numerous security patches and strongly recommends applying these patches without delay. Although the advisory does not explicitly confirm the patch status for CVE-2026-22016, customers should promptly apply the April 2026 Critical Patch Update to mitigate this vulnerability. Staying on actively supported versions and timely patching are critical. If patch application is not immediately possible, consider restricting network access to affected services and APIs as a temporary measure until patches can be applied.