This vulnerability affects Oracle HCM Common Architecture component Knowledge Integration in Oracle E-Business Suite versions 12.2.3 to 12.2.15. It is exploitable remotely over HTTP without authentication, allowing attackers to access critical or all accessible data within the affected product. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, and high confidentiality impact with no integrity or availability impact. The vulnerability is listed in Oracle's April 2026 Critical Patch Update advisory, which contains numerous patches for Oracle products. Oracle urges customers to apply these patches without delay to mitigate exploitation risks.

Successful exploitation can lead to unauthorized access to critical or all accessible data in Oracle HCM Common Architecture, potentially compromising sensitive information. The vulnerability does not impact integrity or availability but poses a high confidentiality risk. No known exploits in the wild have been reported as of the advisory date.

Oracle has released a Critical Patch Update in April 2026 that addresses this vulnerability among others. Customers should promptly apply the April 2026 Critical Patch Update to Oracle HCM Common Architecture and other affected products. The vendor advisory strongly recommends remaining on actively supported versions and applying patches without delay. Patch status for this specific vulnerability is not explicitly detailed beyond inclusion in the CPU; therefore, checking the vendor advisory for the latest patch availability and installation instructions is essential.