{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34302", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-03-26T19:48:45.678Z", "datePublished": "2026-04-21T20:35:32.038Z", "dateUpdated": "2026-04-21T20:35:32.038Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:32.038Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Workflow", "versions": [{"version": "12.2.3", "status": "affected", "lessThanOrEqual": "12.2.15", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:workflow:*:*:*:*:*:*:*:*", "versionStartIncluding": "12.2.3", "versionEndIncluding": "12.2.15"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L", "baseScore": 5.5, "baseSeverity": "MEDIUM"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. While the vulnerability is in Oracle Workflow, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Workflow accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Workflow. CVSS 3.1 Base Score 5.5 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L)."}], "id": "CVE-2026-34302", "lastModified": "2026-04-21T21:16:35.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:35.410", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[12.2.3,12.2.15]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Oracle Workflow", "source": "cna", "vendor": "Oracle Corporation"}, "product": "workflow", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T02:27:12.607296+00:00", "value": {"mitigation_remediation": ["Apply the Oracle CPU Apr 2026 patch for Oracle Workflow (versions 12.2.3\u201112.2.15) to fix the authorization bypass in the Workflow Loader component.", "Restrict direct HTTP access to the Workflow Loader service by implementing firewall rules or VPN restrictions so that only trusted hosts can reach the endpoint.", "Disable or limit the use of the Workflow Loader feature if it is not essential, and re\u2011configure it to run under a least\u2011privilege account whenever possible."], "summary": {"action": "Patch", "impact": "Unauthorized Data Modification and Partial Denial of Service"}, "threat_synthesis": {"affected_systems": "Oracle Corporation's Oracle Workflow product, part of Oracle E\u2011Business Suite, is affected in the versions spanning 12.2.3 through 12.2.15. The vulnerability is present in the Workflow Loader component of these releases. Systems running any of these versions should be checked for the presence of the loader module.", "description_and_impact": "Oracle Workflow exposes a flaw in the Workflow Loader component that allows an attacker with high privileges and network access over HTTP to bypass authorization controls. The flaw can be exploited to perform unwanted insert, update, or delete operations on Oracle Workflow data and to trigger a partial denial of service. This results in compromised data integrity and limited availability for users of the product.", "risk_and_exploitability": "The vulnerability carries a CVSS 3.1 base score of 5.5, indicating moderate severity with low to moderate impact on integrity and availability. The attack requires network connectivity to the affected HTTP interface and requires that the attacker already holds high privileges in the system, reducing the likelihood of exploitation but still significant. The weakness is not listed in the CISA KEV catalog, and no EPSS score is currently available; however, in the absence of a denial of service signature the risk remains moderate. Attackers may exploit the vulnerability by sending crafted HTTP requests to the Workflow Loader endpoint, thereby achieving unauthorized data manipulation and a partial denial of service."}}}}, "created": "2026-04-22T02:15:05.238011+00:00", "title": "Authorization Bypass in Oracle Workflow Allows Unauthorized Data Modification and Partial Denial of Service", "updated": "2026-04-22T02:30:05.616434+00:00", "vendors": ["oracle", "oracle$PRODUCT$workflow"], "weaknesses": ["CWE-284", "CWE-285"]}