This vulnerability affects Oracle Business Process Management Suite's Human Workflow 11g+ component in versions 12.2.1.4.0 and 14.1.2.0.0. It is exploitable remotely over HTTP without authentication but requires user interaction from a third party. The vulnerability can result in unauthorized read and modification (update, insert, delete) of accessible data within the product. The scope of impact may extend beyond the suite to other Oracle products. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) reflects network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and low confidentiality and integrity impacts with no availability impact. Oracle has addressed this vulnerability in its April 2026 Critical Patch Update for Fusion Middleware products.

Successful exploitation can lead to unauthorized read and modification of some data accessible through Oracle Business Process Management Suite. The vulnerability's scope change means it may affect additional Oracle products beyond the suite itself. The CVSS score of 6.1 indicates a medium severity impact primarily on confidentiality and integrity. There are no known exploits in the wild at this time.

Oracle has released patches for this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products, which includes Oracle Business Process Management Suite. Customers are strongly advised to apply these official patches without delay to mitigate the vulnerability. No alternative or temporary mitigations are specified in the vendor advisory. Patch status is confirmed by the vendor advisory linked.