Cyber Posture

CVE-2026-21976

High

Published: 20 January 2026

Published
20 January 2026
Modified
29 January 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0004 13.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21976 is a high-severity an unspecified weakness vulnerability in Oracle Business Intelligence. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
attack.mitre.org →
Why these techniques?

Local low-priv access to BI product enables unauthorized data read (T1005) and critical data manipulation (T1565.001).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business…

more

Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Deeper analysisAI

CVE-2026-21976 is a vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics, specifically the Oracle Analytics Cloud component. The supported versions affected are 7.6.0.0.0 and 8.2.0.0.0. It carries a CVSS 3.1 base score of 7.1 with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, reflecting high impacts to confidentiality and integrity but no availability impact.

The vulnerability is easily exploitable by a low privileged attacker who has logon access to the infrastructure where Oracle Business Intelligence Enterprise Edition executes. Successful exploitation allows the attacker to compromise the product, resulting in unauthorized creation, deletion, or modification of critical data or all Oracle Business Intelligence Enterprise Edition accessible data, as well as unauthorized access to critical data or complete access to all such data.

Oracle has published details on this vulnerability, including mitigation and patch information, in their security alert at https://www.oracle.com/security-alerts/cpujan2026.html.

Details

CWE(s)
NVD-CWE-noinfo

Affected Products

oracle
business intelligence
7.6.0.0.0, 8.2.0.0.0

CVEs Like This One

CVE-2026-21932Same vendor: Oracle
CVE-2026-35231Same vendor: Oracle
CVE-2025-21506Same vendor: Oracle
CVE-2025-21515Same vendor: Oracle
CVE-2025-50067Same vendor: Oracle
CVE-2026-35251Same vendor: Oracle
CVE-2026-21984Same vendor: Oracle
CVE-2026-34290Same vendor: Oracle
CVE-2026-22010Same vendor: Oracle
CVE-2025-21521Same vendor: Oracle

References