{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34302", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-03-26T19:48:45.678Z", "datePublished": "2026-04-21T20:35:32.038Z", "dateUpdated": "2026-04-21T20:35:32.038Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:32.038Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Workflow", "versions": [{"version": "12.2.3", "status": "affected", "lessThanOrEqual": "12.2.15", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:workflow:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.2.3", "versionEndIncluding": "12.2.15"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L)."}], "id": "CVE-2026-34302", "lastModified": "2026-04-21T21:16:35.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:35.410", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.2.3,12.2.15]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Oracle Workflow", "source": "cna", "vendor": "Oracle Corporation"}, "product": "workflow", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T07:29:58.351862+00:00", "value": {"mitigation_remediation": ["Apply the Oracle CPU Apr 2026 patch for Oracle Workflow (versions 12.2.3-12.2.15) to fix the authorization bypass in the Workflow Loader component.", "Restrict direct HTTP access to the Workflow Loader service by implementing firewall rules or VPN restrictions so that only trusted hosts can reach the endpoint.", "Disable or limit the use of the Workflow Loader feature if it is not essential, and re\u2011configure it to run under a least\u2011privilege account whenever possible."], "summary": {"action": "Patch", "impact": "Unauthorized Data Modification and Partial Denial of Service"}, "threat_synthesis": {"affected_systems": "Oracle Corporation\u2019s Oracle Workflow product, part of Oracle E-Business Suite, is affected in the versions spanning 12.2.3 through 12.2.15. The flaw is located in the Workflow Loader component of these releases. Systems running these versions should verify the installation of the loader module.", "description_and_impact": "Oracle Workflow contains an authorization bypass in its Workflow Loader component that allows an attacker who already has high privileges to perform unauthorized insert, update or delete operations on Workflow data and to trigger a partial denial of service. This flaw directly impacts the integrity and availability of Oracle Workflow accessible data, while the confidentiality impact is limited. Based on the description, the vulnerability requires the attacker to reach the system via HTTP and to hold high-level credentials on the host.", "risk_and_exploitability": "The CVSS 3.1 base score of 5.5 indicates moderate severity with low to moderate impact on integrity and availability. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by sending crafted HTTP requests to the Workflow Loader endpoint when they already possess high-privilege access. The likely attack vector is network access via the exposed HTTP interface, and the risk is bounded by the prerequisite of high privileges."}}}}, "created": "2026-04-22T02:15:05.238011+00:00", "title": "Authorization Bypass in Oracle Workflow Loader Enables Data Tampering and Partial Denial of Service", "updated": "2026-04-22T07:30:11.608191+00:00", "vendors": ["oracle", "oracle$PRODUCT$workflow"], "weaknesses": ["CWE-285"]}