{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35244", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-04-01T20:03:40.833Z", "datePublished": "2026-04-21T20:35:50.742Z", "dateUpdated": "2026-04-21T20:35:50.742Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:50.742Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Infrastructure Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Infrastructure Technology accessible data as well as unauthorized read access to a subset of Oracle Hyperion Infrastructure Technology accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Hyperion Infrastructure Technology", "versions": [{"version": "11.2.24.0.000", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:hyperion_infrastructure_technology:11.2.24.0.000:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Lifecycle Management). The supported version that is affected is 11.2.24.0.000. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Infrastructure Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Infrastructure Technology accessible data as well as unauthorized read access to a subset of Oracle Hyperion Infrastructure Technology accessible data. CVSS 3.1 Base Score 5.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N", "baseScore": 5.2, "baseSeverity": "MEDIUM"}}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Hyperion Infrastructure Technology product of Oracle Hyperion (component: Lifecycle Management). The supported version that is affected is 11.2.24.0.000. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Hyperion Infrastructure Technology. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hyperion Infrastructure Technology accessible data as well as unauthorized read access to a subset of Oracle Hyperion Infrastructure Technology accessible data. CVSS 3.1 Base Score 5.2 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N)."}], "id": "CVE-2026-35244", "lastModified": "2026-04-21T21:16:40.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 4.2, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-04-21T21:16:40.400", "references": [{"source": "secalert_us@oracle.com", "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:44:17.369407+00:00", "value": {"mitigation_remediation": ["Apply the Oracle patch released in the April 2026 CPU to version 11.2.24.0.000.", "Restrict HTTP access to Hyperion servers to trusted internal networks only, blocking external IPs.", "Enable detailed auditing on data creation, deletion, and modification events, and monitor logs for unusual activity."], "summary": {"action": "Patch", "impact": "Data Integrity and Confidentiality Compromise"}, "threat_synthesis": {"affected_systems": "Oracle Corporation\u2019s Hyperion Infrastructure Technology, version 11.2.24.0.000, is affected. No other versions are listed as impacted.", "description_and_impact": "A vulnerability exists in the Lifecycle Management component of Oracle Hyperion Infrastructure Technology that allows a high\u2011privileged attacker with HTTP network access to compromise the system. Successful exploitation requires the attacker to obtain high privileges and user interaction from an external person, enabling unauthorized creation, deletion or modification of critical data, or unauthorized read access to a subset of data. The CV of 5.2 highlights impacts on confidentiality and integrity.", "risk_and_exploitability": "The risk is moderate (CVSS 5.2). Exploitation is possible over an HTTP interface, requiring a high\u2011privileged user and human interaction from a person other than the attacker, implying a social engineering component. The EPSS score is not available and the vulnerability is not listed in CISA KEV, suggesting a lower likelihood of widespread exploitation at present."}}}}, "created": "2026-04-22T04:45:09.356218+00:00", "title": "Unauthorized Data Modification in Oracle Hyperion Infrastructure Technology via HTTP", "updated": "2026-04-22T04:45:09.356231+00:00", "vendors": [], "weaknesses": ["CWE-284", "CWE-250"]}