CVE-2026-34268 is a vulnerability in the security component of Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. It affects versions including 8u481, 11.0.30, 17.0.18, 21.0.10, 25.0.2, and 26, among others. The vulnerability allows an unauthenticated attacker who has logon access to the infrastructure where these products run to compromise them and gain unauthorized read access to a subset of accessible data. The attack complexity is high, and no privileges or user interaction are required. The vulnerability can be exploited via APIs, for example through web services supplying data to these APIs, and also applies to sandboxed Java Web Start applications or applets running untrusted code. The CVSS 3.1 base score is 2.9, indicating low severity with confidentiality impact only. Oracle's April 2026 Critical Patch Update advisory references many patches but does not explicitly confirm a patch for this CVE. Oracle recommends applying Critical Patch Updates promptly.

Successful exploitation of this vulnerability can lead to unauthorized read access to certain data accessible by Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. The impact is limited to confidentiality with no integrity or availability effects. Exploitation requires local logon access and is difficult due to high attack complexity. There are no known exploits in the wild at this time.

Oracle's April 2026 Critical Patch Update advisory recommends applying the latest patches promptly to address security vulnerabilities. Although the advisory does not explicitly confirm a patch for CVE-2026-34268, customers should remain on actively supported versions and apply all Critical Patch Updates without delay. No vendor advisory states that no action is required or that the vulnerability is already mitigated. Therefore, applying Oracle's official patches as they become available is the recommended mitigation.