This vulnerability affects the Oracle HCM Common Architecture component of Oracle E-Business Suite, specifically versions 12.2.3 through 12.2.15. It is classified under CWE-200 (Exposure of Sensitive Information) and allows an unauthenticated attacker to access critical data over HTTP without requiring privileges or user interaction. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction needed, unchanged scope, and high confidentiality impact with no integrity or availability impact. The vulnerability is described as easily exploitable and can lead to unauthorized access to sensitive data. Oracle's April 2026 Critical Patch Update advisory references multiple patches but does not explicitly confirm a patch for this vulnerability. No known exploits in the wild have been reported as of the advisory date.

Successful exploitation of this vulnerability can result in unauthorized access to critical or all data accessible through Oracle HCM Common Architecture. The confidentiality of sensitive information is compromised, but there is no direct impact on data integrity or availability. The vulnerability can be exploited remotely without authentication or user interaction, increasing the risk of data exposure in affected environments.

Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory. However, the advisory does not explicitly confirm patch availability or provide a specific fix for CVE-2026-34297. Customers should review the Oracle Critical Patch Update for April 2026 at https://www.oracle.com/security-alerts/cpuapr2026.html and apply all relevant patches promptly. Until a specific patch is confirmed, organizations should consider restricting network access to Oracle HCM Common Architecture interfaces and monitor Oracle advisories for updates. Patch status is not yet confirmed—check the vendor advisory for current remediation guidance.