This vulnerability affects Oracle Financial Services Analytical Applications Infrastructure versions 8.0.7.9, 8.0.8.7, and 8.1.2.5. It permits an unauthenticated attacker with network access via HTTP to compromise the system, resulting in unauthorized access to critical or all accessible data. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates that the attack can be performed remotely over the network without authentication or user interaction, with a high impact on confidentiality but no impact on integrity or availability. The vulnerability is categorized under CWE-284 (Improper Access Control). Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory, which bundles multiple patches for various products. The advisory urges customers to apply patches promptly but does not explicitly state the patch status for this specific vulnerability. No public exploits are currently known.

Successful exploitation allows an unauthenticated attacker to gain unauthorized access to critical or all data accessible via the Oracle Financial Services Analytical Applications Infrastructure. This compromises confidentiality but does not affect integrity or availability. The vulnerability can be exploited remotely over HTTP without any privileges or user interaction, making it highly accessible to attackers with network access.

Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory and strongly recommends that customers apply the update promptly. The vendor advisory does not explicitly confirm the availability of a dedicated patch for this vulnerability outside the Critical Patch Update. Therefore, customers should review and apply the April 2026 Critical Patch Update to ensure remediation. Patch status beyond this advisory is not explicitly confirmed; customers should monitor Oracle's security alerts for updates. No alternative mitigations or 'no action required' statements are provided by the vendor.