CVE-2026-34284: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Process Management Suite, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data. in Oracle Corporation Oracle Business Process Management Suite
Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Human workflow 11g+). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Process Management Suite, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
AI Analysis
Technical Summary
This vulnerability exists in the Human Workflow 11g+ component of Oracle Business Process Management Suite. It is exploitable remotely over HTTP without authentication but requires user interaction from a third party. The vulnerability has a CVSS 3.1 base score of 6.1, indicating medium severity with impacts on confidentiality and integrity. Exploitation can result in unauthorized modification and disclosure of certain accessible data within the affected product. The scope of impact may extend to additional Oracle products due to the suite's integration. Oracle's April 2026 Critical Patch Update advisory includes patches addressing this vulnerability among 481 others across multiple product families.
Potential Impact
Successful exploitation can lead to unauthorized update, insertion, or deletion of some data accessible via Oracle Business Process Management Suite, as well as unauthorized read access to a subset of that data. The vulnerability affects confidentiality and integrity but does not impact availability. The attack requires human interaction from a user other than the attacker, which limits automated exploitation. There are no known exploits in the wild at the time of publication.
Mitigation Recommendations
Oracle has released security patches for this vulnerability as part of its April 2026 Critical Patch Update for Fusion Middleware products, which includes Oracle Business Process Management Suite. Customers are strongly advised to apply these patches promptly to remediate the vulnerability. No alternative mitigations or temporary fixes are specified. Patch status is confirmed by the vendor advisory. Organizations should ensure they remain on actively supported versions and apply Critical Patch Updates without delay.
CVE-2026-34284: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Process Management Suite, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data. in Oracle Corporation Oracle Business Process Management Suite
Description
Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware (component: Human workflow 11g+). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Business Process Management Suite. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Business Process Management Suite, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Business Process Management Suite accessible data as well as unauthorized read access to a subset of Oracle Business Process Management Suite accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability exists in the Human Workflow 11g+ component of Oracle Business Process Management Suite. It is exploitable remotely over HTTP without authentication but requires user interaction from a third party. The vulnerability has a CVSS 3.1 base score of 6.1, indicating medium severity with impacts on confidentiality and integrity. Exploitation can result in unauthorized modification and disclosure of certain accessible data within the affected product. The scope of impact may extend to additional Oracle products due to the suite's integration. Oracle's April 2026 Critical Patch Update advisory includes patches addressing this vulnerability among 481 others across multiple product families.
Potential Impact
Successful exploitation can lead to unauthorized update, insertion, or deletion of some data accessible via Oracle Business Process Management Suite, as well as unauthorized read access to a subset of that data. The vulnerability affects confidentiality and integrity but does not impact availability. The attack requires human interaction from a user other than the attacker, which limits automated exploitation. There are no known exploits in the wild at the time of publication.
Mitigation Recommendations
Oracle has released security patches for this vulnerability as part of its April 2026 Critical Patch Update for Fusion Middleware products, which includes Oracle Business Process Management Suite. Customers are strongly advised to apply these patches promptly to remediate the vulnerability. No alternative mitigations or temporary fixes are specified. Patch status is confirmed by the vendor advisory. Organizations should ensure they remain on actively supported versions and apply Critical Patch Updates without delay.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-03-26T19:48:45.676Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cpuapr2026.html","vendor":"Oracle"}]
Threat ID: 69e7e5a419fe3cd2cdf9f885
Added to database: 4/21/2026, 9:01:24 PM
Last enriched: 4/21/2026, 10:02:27 PM
Last updated: 4/22/2026, 5:57:21 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.