This vulnerability affects Oracle Financial Services Analytical Applications Infrastructure versions 8.0.7.9, 8.0.8.7, and 8.1.2.5. It is exploitable remotely over HTTP without authentication, allowing attackers to access critical or all accessible data within the product. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, no privileges or user interaction required, unchanged scope, and high confidentiality impact with no integrity or availability impact. The vulnerability is included in Oracle's April 2026 Critical Patch Update, which addresses 481 security issues across multiple Oracle products. Oracle strongly recommends applying these patches without delay to protect affected systems.

Successful exploitation of this vulnerability can lead to unauthorized access to critical data or complete access to all data accessible through the Oracle Financial Services Analytical Applications Infrastructure. This compromises confidentiality but does not affect integrity or availability. The vulnerability is remotely exploitable without authentication, increasing the risk of unauthorized data disclosure.

Oracle has released patches for this vulnerability as part of the April 2026 Critical Patch Update. Customers should promptly apply the relevant patches from this update to affected versions (8.0.7.9, 8.0.8.7, and 8.1.2.5) of Oracle Financial Services Analytical Applications Infrastructure. Oracle strongly advises remaining on actively-supported versions and applying Critical Patch Updates without delay. Patch status is confirmed by the vendor advisory at https://www.oracle.com/security-alerts/cpuapr2026.html. No alternative mitigations or workarounds are specified in the advisory.