{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34296", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-03-26T19:48:45.678Z", "datePublished": "2026-04-21T20:35:29.220Z", "dateUpdated": "2026-04-22T13:37:37.176Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:29.220Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Agile Product Lifecycle Management for Process accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Agile Product Lifecycle Management for Process", "versions": [{"version": "6.2.4", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.4:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Agile Product Lifecycle Management for Process accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:37:33.486246Z", "id": "CVE-2026-34296", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:37:37.176Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34296", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T13:37:33.486246Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:37:29.684Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Agile Product Lifecycle Management for Process", "versions": [{"status": "affected", "version": "6.2.4", "versionType": "semver"}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Agile Product Lifecycle Management for Process accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Agile Product Lifecycle Management for Process accessible data."}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.4:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:29.220Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34296", "state": "PUBLISHED", "dateUpdated": "2026-04-22T13:37:37.176Z", "dateReserved": "2026-03-26T19:48:45.678Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2026-04-21T20:35:29.220Z", "assignerShortName": "oracle"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "4F85AABE-B854-4887-A641-2102D355F9E3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Agile Product Lifecycle Management for Process accessible data. CVSS 3.1 Base Score 4.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)."}], "id": "CVE-2026-34296", "lastModified": "2026-04-23T18:22:22.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "secalert_us@oracle.com", "type": "Secondary"}]}, "published": "2026-04-21T21:16:34.610", "references": [{"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "6.2.4"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Oracle Agile Product Lifecycle Management for Process", "source": "cna", "vendor": "Oracle Corporation"}, "product": "agile_product_lifecycle_management_for_process", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T04:59:29.346141+00:00", "value": {"mitigation_remediation": ["Upgrade Oracle Agile Product Lifecycle Management for Process to a version that includes the Oracle patch released in the April\u202f2026 security alert.", "Configure the application so that all data\u2011retrieval endpoints require authentication and enforce role\u2011based access control to prevent unauthorized read access.", "Isolate the application behind a network perimeter that restricts HTTP traffic to known administrative contacts, and block unauthenticated network access from untrusted hosts.", "Enable comprehensive logging and monitor for any unauthorized read attempts, then alert security personnel accordingly."], "summary": {"action": "Assess Impact", "impact": "Unauthorized read access to sensitive data (confidentiality compromise)"}, "threat_synthesis": {"affected_systems": "Oracle Corporation\u2019s Agile Product Lifecycle Management for Process, part of Oracle Supply Chain Management, is affected. The only explicitly listed vulnerable release is version\u202f6.2.4; newer releases are presumed patched. No other versions or components are mentioned.", "description_and_impact": "The flaw in Oracle Agile Product Lifecycle Management for Process version\u202f6.2.4 permits an attacker with low privileges to access the system over HTTP and read data that should be restricted. The vulnerability is reported as a low\u2011complexity, network\u2011based exploit that results in a confidentiality compromise, as reflected by the CVSS\u202f3.1 score of 4.3 (C\u202fL). Based on the description, it is inferred that the weakness arises from inadequate authorization checks in the Product Quality Management component, leading to information disclosure.", "risk_and_exploitability": "Based on the description, it is inferred that the attack can be launched over the public network without authentication and only requires low privileges, suggesting a moderate risk of exploitation. The CVSS\u202fBase\u202fScore of\u202f4.3 indicates a moderate impact on confidentiality, but since no EPSS score is available and the vulnerability is not listed in KEV, we cannot determine the current exploitation prevalence, and it is inferred that hacking activity is not yet widespread. However, the ease of use of the flaw means organizations should assess the potential data exposure promptly and consider remediation or additional controls."}}}}, "created": "2026-04-22T03:15:06.281867+00:00", "title": "Oracle Agile PDM for Process 6.2.4 HTTP Read Access Vulnerability", "updated": "2026-04-22T05:00:09.532212+00:00", "vendors": ["oracle", "oracle$PRODUCT$agile_product_lifecycle_management_for_process"], "weaknesses": ["CWE-200", "CWE-284"]}