CVE-2026-34291: Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. While the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. in Oracle Corporation Oracle HTTP Server
Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. While the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).
AI Analysis
Technical Summary
This vulnerability affects Oracle HTTP Server, a component of Oracle Fusion Middleware, specifically versions 12.2.1.4.0 and 14.1.2.0.0. It allows an unauthenticated attacker with network access via HTTP to compromise the server, potentially leading to unauthorized creation, deletion, or modification of critical data accessible through the server. The vulnerability impacts confidentiality and integrity with a CVSS 3.1 score of 8.7 and includes a scope change affecting additional Oracle products. The vulnerability is categorized under CWE-284 (Improper Access Control). Oracle has acknowledged the issue in its April 2026 Critical Patch Update advisory, which bundles patches for multiple vulnerabilities across various Oracle products, including Fusion Middleware. While the advisory strongly urges customers to apply the update promptly, it does not explicitly confirm a dedicated patch for this specific CVE. No known public exploits have been reported.
Potential Impact
Successful exploitation of CVE-2026-34291 can result in unauthorized creation, deletion, or modification of critical data accessible via Oracle HTTP Server, as well as unauthorized access to such data. The vulnerability affects confidentiality and integrity but does not impact availability. The scope of the vulnerability extends beyond Oracle HTTP Server to potentially affect additional Oracle products. The high CVSS score (8.7) reflects the significant risk posed by this vulnerability. No known exploits in the wild have been reported to date.
Mitigation Recommendations
Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory, which contains security patches for Fusion Middleware products including Oracle HTTP Server. Customers are strongly advised to apply the April 2026 Critical Patch Update promptly to address this and other vulnerabilities. Since no explicit patch or remediation level is confirmed for this specific CVE outside the advisory, organizations should monitor Oracle's advisory page for updates and ensure timely application of the recommended patches. No vendor advisory states that no action is required or that the issue is already mitigated; therefore, patching is the recommended mitigation.
CVE-2026-34291: Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. While the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. in Oracle Corporation Oracle HTTP Server
Description
Vulnerability in the Oracle HTTP Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. While the vulnerability is in Oracle HTTP Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server accessible data. CVSS 3.1 Base Score 8.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).
CVSS v3.1
Score 8.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Oracle HTTP Server, a component of Oracle Fusion Middleware, specifically versions 12.2.1.4.0 and 14.1.2.0.0. It allows an unauthenticated attacker with network access via HTTP to compromise the server, potentially leading to unauthorized creation, deletion, or modification of critical data accessible through the server. The vulnerability impacts confidentiality and integrity with a CVSS 3.1 score of 8.7 and includes a scope change affecting additional Oracle products. The vulnerability is categorized under CWE-284 (Improper Access Control). Oracle has acknowledged the issue in its April 2026 Critical Patch Update advisory, which bundles patches for multiple vulnerabilities across various Oracle products, including Fusion Middleware. While the advisory strongly urges customers to apply the update promptly, it does not explicitly confirm a dedicated patch for this specific CVE. No known public exploits have been reported.
Potential Impact
Successful exploitation of CVE-2026-34291 can result in unauthorized creation, deletion, or modification of critical data accessible via Oracle HTTP Server, as well as unauthorized access to such data. The vulnerability affects confidentiality and integrity but does not impact availability. The scope of the vulnerability extends beyond Oracle HTTP Server to potentially affect additional Oracle products. The high CVSS score (8.7) reflects the significant risk posed by this vulnerability. No known exploits in the wild have been reported to date.
Mitigation Recommendations
Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory, which contains security patches for Fusion Middleware products including Oracle HTTP Server. Customers are strongly advised to apply the April 2026 Critical Patch Update promptly to address this and other vulnerabilities. Since no explicit patch or remediation level is confirmed for this specific CVE outside the advisory, organizations should monitor Oracle's advisory page for updates and ensure timely application of the recommended patches. No vendor advisory states that no action is required or that the issue is already mitigated; therefore, patching is the recommended mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-03-26T19:48:45.677Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cpuapr2026.html","vendor":"Oracle"}]
Threat ID: 69e7e5a619fe3cd2cdf9f932
Added to database: 4/21/2026, 9:01:26 PM
Last enriched: 4/29/2026, 11:05:58 AM
Last updated: 6/4/2026, 10:50:45 PM
Views: 76
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.