This vulnerability affects Oracle Advanced Inbound Telephony component of Oracle E-Business Suite versions 12.2.3 to 12.2.15. It is an easily exploitable, unauthenticated network vulnerability accessible via HTTP that allows attackers to compromise the product fully. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates no privileges or user interaction are required, and the impact includes complete loss of confidentiality, integrity, and availability. The vulnerability is tracked as CWE-306 (Missing Authentication for Critical Function). Oracle has acknowledged this issue in its April 2026 Critical Patch Update advisory, which includes patches for many products, but the advisory does not explicitly confirm patch availability for this specific vulnerability. The vendor strongly recommends applying the Critical Patch Update without delay to mitigate this and other vulnerabilities.

Successful exploitation allows an unauthenticated attacker with network access via HTTP to take over Oracle Advanced Inbound Telephony, leading to full compromise of confidentiality, integrity, and availability of the affected system. This could result in unauthorized access, data disclosure, data modification, and service disruption within the affected Oracle product environment.

Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory. While the advisory does not explicitly confirm a patch specifically for CVE-2026-34275, it strongly recommends that customers apply the April 2026 Critical Patch Update promptly to address this and other vulnerabilities. Until patches are applied, organizations should consider restricting network access to Oracle Advanced Inbound Telephony interfaces if possible. Patch status is not yet confirmed explicitly for this vulnerability; therefore, customers should monitor the Oracle advisory for updates and apply patches as soon as they become available.