CVE-2026-35243: Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). in Oracle Corporation Oracle Application Development Framework (ADF)
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AI Analysis
Technical Summary
This vulnerability affects Oracle Application Development Framework (ADF) component ADF Faces in versions 12.2.1.4.0 and 14.1.2.0.0. It enables an attacker with low privileges and logon access to the infrastructure to compromise ADF, potentially leading to complete takeover of the framework. The CVSS 3.1 vector indicates local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high impacts on confidentiality, integrity, and availability (7.8 base score). Oracle has addressed this vulnerability in its April 2026 Critical Patch Update, which includes security patches for Fusion Middleware products including ADF.
Potential Impact
Successful exploitation can lead to full compromise of Oracle Application Development Framework (ADF), affecting confidentiality, integrity, and availability of the affected system. This could allow an attacker to take over the ADF environment, potentially impacting applications relying on this framework.
Mitigation Recommendations
Oracle has released security patches for this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products. Customers should promptly apply the April 2026 CPU to affected Oracle ADF versions (12.2.1.4.0 and 14.1.2.0.0) to remediate this vulnerability. Oracle strongly recommends staying on actively supported versions and applying Critical Patch Updates without delay. Patch status is confirmed by the vendor advisory at https://www.oracle.com/security-alerts/cpuapr2026.html.
CVE-2026-35243: Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). in Oracle Corporation Oracle Application Development Framework (ADF)
Description
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Oracle Application Development Framework (ADF) component ADF Faces in versions 12.2.1.4.0 and 14.1.2.0.0. It enables an attacker with low privileges and logon access to the infrastructure to compromise ADF, potentially leading to complete takeover of the framework. The CVSS 3.1 vector indicates local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high impacts on confidentiality, integrity, and availability (7.8 base score). Oracle has addressed this vulnerability in its April 2026 Critical Patch Update, which includes security patches for Fusion Middleware products including ADF.
Potential Impact
Successful exploitation can lead to full compromise of Oracle Application Development Framework (ADF), affecting confidentiality, integrity, and availability of the affected system. This could allow an attacker to take over the ADF environment, potentially impacting applications relying on this framework.
Mitigation Recommendations
Oracle has released security patches for this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products. Customers should promptly apply the April 2026 CPU to affected Oracle ADF versions (12.2.1.4.0 and 14.1.2.0.0) to remediate this vulnerability. Oracle strongly recommends staying on actively supported versions and applying Critical Patch Updates without delay. Patch status is confirmed by the vendor advisory at https://www.oracle.com/security-alerts/cpuapr2026.html.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-04-01T20:03:40.833Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cpuapr2026.html","vendor":"Oracle"}]
Threat ID: 69e7e5af19fe3cd2cdfa016b
Added to database: 4/21/2026, 9:01:35 PM
Last enriched: 4/21/2026, 9:16:50 PM
Last updated: 4/22/2026, 6:08:39 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.