CVE-2026-34302: Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. in Oracle Corporation Oracle Workflow
Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L).
AI Analysis
Technical Summary
CVE-2026-34302 is a vulnerability in the Oracle Workflow product of Oracle E-Business Suite, specifically in the Workflow Loader component, affecting versions 12.2.3 through 12.2.15. It allows a high privileged attacker with network access via HTTP to compromise Oracle Workflow by unauthorized modification (update, insert, delete) of accessible data and to cause a partial denial of service. The vulnerability has a CVSS 3.1 score of 5.5 with network attack vector, low attack complexity, high privileges required, no user interaction, and scope change affecting integrity and availability. The vulnerability may also impact other Oracle products due to scope change. Oracle has referenced this vulnerability in its April 2026 Critical Patch Update advisory, which contains numerous patches for multiple products. The advisory strongly recommends applying the update but does not explicitly confirm a dedicated patch for this specific vulnerability.
Potential Impact
Successful exploitation allows a high privileged attacker with network access to perform unauthorized data modifications (update, insert, delete) within Oracle Workflow and cause a partial denial of service affecting availability. There is no confidentiality impact reported. The vulnerability may also affect additional Oracle products due to scope change. No known exploits in the wild have been reported as of the advisory date.
Mitigation Recommendations
Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory. Customers are strongly advised to apply the April 2026 Critical Patch Update promptly to address this and other vulnerabilities. Patch status for this specific vulnerability is not explicitly confirmed in the advisory; therefore, customers should consult the April 2026 Critical Patch Update documentation and apply all relevant patches for Oracle Workflow versions 12.2.3 to 12.2.15. Maintaining up-to-date patching is critical to mitigate this vulnerability.
CVE-2026-34302: Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. in Oracle Corporation Oracle Workflow
Description
Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34302 is a vulnerability in the Oracle Workflow product of Oracle E-Business Suite, specifically in the Workflow Loader component, affecting versions 12.2.3 through 12.2.15. It allows a high privileged attacker with network access via HTTP to compromise Oracle Workflow by unauthorized modification (update, insert, delete) of accessible data and to cause a partial denial of service. The vulnerability has a CVSS 3.1 score of 5.5 with network attack vector, low attack complexity, high privileges required, no user interaction, and scope change affecting integrity and availability. The vulnerability may also impact other Oracle products due to scope change. Oracle has referenced this vulnerability in its April 2026 Critical Patch Update advisory, which contains numerous patches for multiple products. The advisory strongly recommends applying the update but does not explicitly confirm a dedicated patch for this specific vulnerability.
Potential Impact
Successful exploitation allows a high privileged attacker with network access to perform unauthorized data modifications (update, insert, delete) within Oracle Workflow and cause a partial denial of service affecting availability. There is no confidentiality impact reported. The vulnerability may also affect additional Oracle products due to scope change. No known exploits in the wild have been reported as of the advisory date.
Mitigation Recommendations
Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory. Customers are strongly advised to apply the April 2026 Critical Patch Update promptly to address this and other vulnerabilities. Patch status for this specific vulnerability is not explicitly confirmed in the advisory; therefore, customers should consult the April 2026 Critical Patch Update documentation and apply all relevant patches for Oracle Workflow versions 12.2.3 to 12.2.15. Maintaining up-to-date patching is critical to mitigate this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-03-26T19:48:45.678Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cpuapr2026.html","vendor":"Oracle"}]
Threat ID: 69e7e5a819fe3cd2cdf9f9a3
Added to database: 4/21/2026, 9:01:28 PM
Last enriched: 4/21/2026, 9:48:05 PM
Last updated: 4/22/2026, 6:05:25 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.