This vulnerability affects Oracle Agile Product Lifecycle Management for Process version 6.2.4, specifically within the Product Quality Management component. It permits an attacker with low privileges and network access via HTTP to compromise the product and obtain unauthorized read access to a subset of accessible data. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) reflects network attack vector, low attack complexity, required privileges, no user interaction, unchanged scope, and limited confidentiality impact without integrity or availability impact. The vulnerability is publicly disclosed and included in Oracle's April 2026 Critical Patch Update advisory, which provides patches for this and many other vulnerabilities. No direct exploit in the wild is currently known.

Successful exploitation results in unauthorized read access to some data within Oracle Agile Product Lifecycle Management for Process, potentially exposing sensitive information. There is no impact on data integrity or availability. The vulnerability requires network access and low privileges, making it moderately accessible to attackers. The CVSS score of 4.3 reflects a medium severity confidentiality impact.

Oracle has released a Critical Patch Update in April 2026 that addresses this vulnerability among others. Customers using Oracle Agile Product Lifecycle Management for Process version 6.2.4 are strongly advised to apply the April 2026 Critical Patch Update promptly to remediate this issue. Oracle emphasizes maintaining actively-supported versions and timely application of security patches to prevent exploitation. Patch status is confirmed by the vendor advisory; no alternative mitigations are specified.