This vulnerability affects Oracle Application Development Framework (ADF) components in Oracle Fusion Middleware, specifically versions 12.2.1.4.0 and 14.1.2.0.0. It is classified under CWE-284 (Improper Access Control) and allows an attacker with low privileges and logon access to the affected infrastructure to compromise ADF, potentially resulting in complete takeover of the framework. The CVSS 3.1 vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates that the attack requires local access with low complexity and privileges but no user interaction, and it impacts confidentiality, integrity, and availability at a high level. Oracle has released security patches addressing this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products. The vendor strongly recommends applying these patches without delay to prevent exploitation.

Successful exploitation of this vulnerability can lead to full compromise of Oracle Application Development Framework (ADF), affecting confidentiality, integrity, and availability of the affected system. An attacker with low privileges and logon access to the infrastructure can leverage this flaw to take over the ADF component, potentially allowing unauthorized access, modification, or disruption of services relying on ADF.

Oracle has released security patches for this vulnerability in the April 2026 Critical Patch Update for Fusion Middleware products. Customers should promptly apply the April 2026 CPU to affected Oracle ADF versions (12.2.1.4.0 and 14.1.2.0.0) to remediate this vulnerability. Oracle strongly advises remaining on actively-supported versions and applying Critical Patch Updates without delay. Patch status is confirmed as available via the vendor advisory: https://www.oracle.com/security-alerts/cpuapr2026.html.