Cyber Resilience

CVE-2026-21976

High

Published: 20 January 2026

Published
20 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0005 16.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21976 is a high-severity an unspecified weakness vulnerability in Oracle Business Intelligence. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-21976 is a vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics, specifically the Oracle Analytics Cloud component. The supported versions affected are 7.6.0.0.0 and 8.2.0.0.0. It carries a CVSS 3.1 base score of 7.1 with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, reflecting high impacts to confidentiality and integrity but no availability impact.

The vulnerability is easily exploitable by a low privileged attacker who has logon access to the infrastructure where Oracle Business Intelligence Enterprise Edition executes. Successful exploitation allows the attacker to compromise the product, resulting in unauthorized creation, deletion, or modification of critical data or all Oracle Business Intelligence Enterprise Edition accessible data, as well as unauthorized access to critical data or complete access to all such data.

Oracle has published details on this vulnerability, including mitigation and patch information, in their security alert at https://www.oracle.com/security-alerts/cpujan2026.html.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business…

more

Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Local low-priv access to BI product enables unauthorized data read (T1005) and critical data manipulation (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35231Same vendor: Oracle
CVE-2026-21932Same vendor: Oracle
CVE-2025-21506Same vendor: Oracle
CVE-2026-35245Same vendor: Oracle
CVE-2025-50105Same vendor: Oracle
CVE-2025-21565Same vendor: Oracle
CVE-2026-46821Same vendor: Oracle
CVE-2025-53037Same vendor: Oracle
CVE-2025-21532Same vendor: Oracle
CVE-2025-50060Same vendor: Oracle

Affected Assets

oracle
business intelligence
7.6.0.0.0, 8.2.0.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Limits privileges of the low-privileged local account so it cannot perform the unauthorized data creation, deletion, modification, or access enabled by the vulnerability.

prevent

Enforces access control policies on the Oracle BI system to block the unauthorized data operations that result from successful exploitation.

prevent

Requires prompt installation of Oracle-supplied patches that eliminate the flaw allowing local low-privileged compromise of confidentiality and integrity.

References