This vulnerability affects Oracle Agile Product Lifecycle Management for Process version 6.2.4, specifically within the Product Quality Management component. It allows an attacker with low privileges and network access over HTTP to compromise the product, resulting in unauthorized read access to some data. The CVSS 3.1 base score is 4.3, reflecting a low complexity attack vector with limited confidentiality impact and no impact on integrity or availability. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information). The April 2026 Oracle Critical Patch Update advisory references this product and version but does not explicitly confirm a patch for this vulnerability in the provided content.

Successful exploitation results in unauthorized disclosure of some data accessible through Oracle Agile Product Lifecycle Management for Process. There is no impact on data integrity or system availability. The attack requires network access and low privileges, making it moderately accessible to attackers within the network environment.

Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory. However, the advisory content provided does not explicitly confirm the availability of a patch for this specific vulnerability. Customers are strongly advised to review the April 2026 Critical Patch Update documentation at https://www.oracle.com/security-alerts/cpuapr2026.html for detailed patch availability and to apply all relevant patches promptly. Until a patch is confirmed and applied, limiting network access to the affected service and monitoring for unusual activity may reduce risk.