This vulnerability affects the Oracle Financial Services Analytical Applications Infrastructure product, specifically versions 8.0.7.9, 8.0.8.7, and 8.1.2.5. It is classified under CWE-200 (Exposure of Sensitive Information) and allows an attacker with low privileges and network access via HTTP to compromise the system, resulting in unauthorized access to sensitive or critical data. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates network attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, high confidentiality impact, and no impact on integrity or availability. The vulnerability was published on April 21, 2026, and is included in Oracle's April 2026 Critical Patch Update advisory. However, the advisory does not explicitly state whether a patch for this specific vulnerability is available or if a temporary fix exists.

Successful exploitation of this vulnerability can lead to unauthorized access to critical or all accessible data within Oracle Financial Services Analytical Applications Infrastructure. The impact is limited to confidentiality, with no direct effect on data integrity or availability. There are no reports of active exploitation in the wild.

Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory. However, the advisory does not explicitly confirm the availability of a patch or remediation for this specific vulnerability. Customers are strongly advised to review the April 2026 Critical Patch Update documentation at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest patch availability and installation instructions. Applying the Critical Patch Update promptly is recommended to mitigate this and other vulnerabilities. Patch status is not yet confirmed for this specific vulnerability — check the vendor advisory for current remediation guidance.