This vulnerability in Oracle Life Sciences InForm's IDM Authentication component affects versions 7.0.1.0 and 7.0.1.1. It allows an unauthenticated attacker with network access via HTTP to perform unauthorized actions including reading, updating, inserting, or deleting some accessible data, and causing partial denial of service. Successful exploitation requires user interaction from a person other than the attacker. The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L with a base score of 6.3. The vendor advisory references a broad Critical Patch Update but does not explicitly confirm a patch for this vulnerability. The vulnerability is categorized under CWE-284 (Improper Access Control).

Successful exploitation can result in unauthorized read access to some data, unauthorized modification (update, insert, delete) of some data, and the ability to cause a partial denial of service in Oracle Life Sciences InForm. The vulnerability requires user interaction but no authentication or privileges, making it moderately impactful. No known exploits in the wild have been reported.

Patch status is not yet confirmed—check the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpuapr2026.html for current remediation guidance. Oracle strongly recommends applying Critical Patch Updates promptly to address vulnerabilities. Until a patch is confirmed and applied, limit network exposure of affected Oracle Life Sciences InForm versions and educate users to be cautious of unexpected interactions that could trigger exploitation.