This vulnerability in Oracle Fusion Middleware's Dynamic Monitoring Service permits a low privileged attacker with network access over HTTP to compromise the product by leveraging required human interaction from a third party. Successful exploitation can lead to unauthorized update, insert, delete, and read access to certain Oracle Fusion Middleware accessible data. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.0.0 and has a CVSS 3.1 score of 5.4 with vector AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, low privileges required, user interaction required, scope change, and limited confidentiality and integrity impacts. Oracle has addressed this vulnerability in its April 2026 Critical Patch Update, which includes cumulative patches for Fusion Middleware and other products.

Exploitation of this vulnerability can result in unauthorized read and write (update, insert, delete) access to some data accessible via Oracle Fusion Middleware, potentially affecting additional products due to scope change. The confidentiality and integrity of data are impacted, but availability is not affected. The attack requires network access and user interaction from a person other than the attacker. No known active exploits have been reported.

Oracle has released patches for this vulnerability as part of the April 2026 Critical Patch Update. Customers using affected versions 12.2.1.4.0 and 14.1.2.0.0 of Oracle Fusion Middleware should apply the April 2026 Critical Patch Update promptly to remediate this vulnerability. Oracle strongly recommends staying on actively supported versions and applying Critical Patch Updates without delay. Patch status is confirmed by the vendor advisory at https://www.oracle.com/security-alerts/cpuapr2026.html.