Cyber Resilience

CVE-2026-21967

High

Published: 20 January 2026

Published
20 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0027 18.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-21967 is a high-severity an unspecified weakness vulnerability in Oracle Hospitality Opera 5. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-21967 is a vulnerability in the Opera Servlet component of Oracle Hospitality OPERA 5, which is part of Oracle Hospitality Applications. The supported versions affected by this issue are 5.6.19.23, 5.6.25.17, 5.6.26.10, and 5.6.27.4. It carries a CVSS 3.1 base score of 8.6 with the vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), reflecting high confidentiality impact, low integrity and availability impacts, and no associated CWE information from NVD.

The vulnerability is easily exploitable by an unauthenticated attacker who has network access via HTTP. Successful exploitation enables unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data, as well as unauthorized update, insert, or delete access to some of that data and the ability to cause a partial denial of service.

The Oracle security advisory at https://www.oracle.com/security-alerts/cpujan2026.html provides further details on this vulnerability, including information on patches and mitigation steps.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle…

more

Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct remote unauthenticated exploitation of a public-facing HTTP servlet enabling data access/modification and partial DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-21547Same product: Oracle Hospitality Opera 5
CVE-2026-46821Same vendor: Oracle
CVE-2026-46818Same vendor: Oracle
CVE-2026-34297Same vendor: Oracle
CVE-2025-50060Same vendor: Oracle
CVE-2026-46775Same vendor: Oracle
CVE-2026-34285Same vendor: Oracle
CVE-2026-46822Same vendor: Oracle
CVE-2025-61757Same vendor: Oracle
CVE-2025-30744Same vendor: Oracle

Affected Assets

oracle
hospitality opera 5
5.6.19.23, 5.6.25.17, 5.6.26.10, 5.6.27.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates CVE-2026-21967 by requiring timely patching and remediation of the flaw in the Opera Servlet component.

preventdetect

Prevents and detects unauthenticated network access via HTTP to the vulnerable servlet by controlling communications at external system boundaries.

prevent

Enforces access control policies to block unauthorized data access, modification, and partial DoS enabled by the servlet vulnerability.

References