This vulnerability affects the User Interface component of Oracle Financial Services Analytical Applications Infrastructure in specified versions. It enables a low privileged attacker who has logon access to the infrastructure to compromise the application, contingent on successful social engineering or other human interaction from a third party. The impact includes high confidentiality loss, limited integrity compromise, and high availability impact due to potential denial of service conditions. The CVSS vector indicates local attack vector, low attack complexity, low privileges required, and required user interaction. The vulnerability was published on April 21, 2026, and is documented under CVE-2026-34325. Oracle's April 2026 Critical Patch Update advisory references multiple patches but does not explicitly state patch availability or remediation details for this specific vulnerability.

Successful exploitation can result in unauthorized access to critical or all accessible data within Oracle Financial Services Analytical Applications Infrastructure, unauthorized update, insert, or delete operations on some data, and the ability to cause a hang or repeated crash leading to denial of service. The confidentiality impact is high, integrity impact is low, and availability impact is high as per the CVSS assessment. Exploitation requires a low privileged attacker with infrastructure logon and human interaction from a third party, limiting the attack vector to local and requiring user involvement.

Oracle has included this vulnerability in its April 2026 Critical Patch Update advisory. However, the advisory content provided does not explicitly confirm the availability of a specific patch or fix for CVE-2026-34325. Customers are strongly advised to review the April 2026 Critical Patch Update documentation at https://www.oracle.com/security-alerts/cpuapr2026.html for the latest patch availability and installation instructions. Applying the Critical Patch Update promptly is recommended to address this and other vulnerabilities. Until a patch is confirmed and applied, organizations should limit low privileged user access to the infrastructure and educate users to reduce the risk of social engineering or other human interaction exploitation vectors.