CVE-2026-21967
Published: 20 January 2026
Summary
CVE-2026-21967 is a high-severity an unspecified weakness vulnerability in Oracle Hospitality Opera 5. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-21967 by requiring timely patching and remediation of the flaw in the Opera Servlet component.
Prevents and detects unauthenticated network access via HTTP to the vulnerable servlet by controlling communications at external system boundaries.
Enforces access control policies to block unauthorized data access, modification, and partial DoS enabled by the servlet vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated exploitation of a public-facing HTTP servlet enabling data access/modification and partial DoS.
NVD Description
Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle…
more
Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).
Deeper analysisAI
CVE-2026-21967 is a vulnerability in the Opera Servlet component of Oracle Hospitality OPERA 5, which is part of Oracle Hospitality Applications. The supported versions affected by this issue are 5.6.19.23, 5.6.25.17, 5.6.26.10, and 5.6.27.4. It carries a CVSS 3.1 base score of 8.6 with the vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), reflecting high confidentiality impact, low integrity and availability impacts, and no associated CWE information from NVD.
The vulnerability is easily exploitable by an unauthenticated attacker who has network access via HTTP. Successful exploitation enables unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data, as well as unauthorized update, insert, or delete access to some of that data and the ability to cause a partial denial of service.
The Oracle security advisory at https://www.oracle.com/security-alerts/cpujan2026.html provides further details on this vulnerability, including information on patches and mitigation steps.
Details
- CWE(s)