CVE-2026-34274 affects Oracle Configurator, a component of Oracle E-Business Suite user interface, in versions 12.2.3 to 12.2.15. It is an easily exploitable vulnerability that allows an unauthenticated attacker with network access over HTTP to perform unauthorized data manipulation (update, insert, delete) and unauthorized read operations on some Oracle Configurator accessible data. Successful exploitation requires human interaction from a person other than the attacker and may impact additional Oracle products due to scope change. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, low confidentiality and integrity impact, and no availability impact. Oracle’s April 2026 Critical Patch Update advisory references a large set of patches but does not explicitly confirm a patch for this CVE in the provided content. The vulnerability is published and has no known active exploitation.

An attacker with network access via HTTP can exploit this vulnerability without authentication but requires a user other than themselves to interact (social engineering). Successful exploitation can lead to unauthorized reading of some data and unauthorized modification (update, insert, delete) of some Oracle Configurator accessible data. The vulnerability affects confidentiality and integrity but not availability. Due to scope change, other Oracle products may be affected indirectly. No known exploits in the wild have been reported to date.

Oracle’s April 2026 Critical Patch Update advisory includes numerous security patches across Oracle products. However, the provided advisory content does not explicitly confirm a patch or official fix for CVE-2026-34274. Patch status is therefore not yet confirmed — users should consult the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest remediation guidance. Until a patch is confirmed and applied, organizations should be aware of the requirement for user interaction in exploitation and consider mitigating social engineering risks. No vendor advisory states that no action is required or that the vulnerability is already mitigated.