This vulnerability (CVE-2026-34279) exists in the Event Management component of Oracle Enterprise Manager Base Platform, affecting versions 13.5 and 24.1. It is easily exploitable by a high privileged attacker with network access over HTTP and can lead to complete compromise of the platform. The CVSS 3.1 base score is 9.1, indicating critical severity with high impact on confidentiality, integrity, and availability. The vulnerability also has a scope change, meaning it can affect additional Oracle products beyond the base platform. Oracle’s April 2026 Critical Patch Update advisory references multiple patches across many products but does not explicitly confirm a patch for this specific vulnerability. The platform is not a cloud service, so remediation depends on customer-applied patches.

Successful exploitation can result in full takeover of Oracle Enterprise Manager Base Platform, impacting confidentiality, integrity, and availability of the system. Due to scope change, other Oracle products integrated with or dependent on the platform may also be significantly affected. No known active exploits have been reported, but the vulnerability is considered critical given the ease of exploitation and potential impact.

Oracle has released a Critical Patch Update advisory in April 2026 covering multiple vulnerabilities across its product portfolio. Customers are strongly advised to review the advisory at https://www.oracle.com/security-alerts/cpuapr2026.html and apply all relevant patches promptly. Since the vendor advisory does not explicitly confirm the patch status for CVE-2026-34279, customers should verify patch availability for Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 and apply updates as soon as possible. No alternative mitigations or workarounds are specified by Oracle. Maintaining up-to-date patches is critical to prevent exploitation.