CVE-2026-21976
Published: 20 January 2026
Summary
CVE-2026-21976 is a high-severity an unspecified weakness vulnerability in Oracle Business Intelligence. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-21976 is a vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics, specifically the Oracle Analytics Cloud component. The supported versions affected are 7.6.0.0.0 and 8.2.0.0.0. It carries a CVSS 3.1 base score of 7.1 with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, reflecting high impacts to confidentiality and integrity but no availability impact.
The vulnerability is easily exploitable by a low privileged attacker who has logon access to the infrastructure where Oracle Business Intelligence Enterprise Edition executes. Successful exploitation allows the attacker to compromise the product, resulting in unauthorized creation, deletion, or modification of critical data or all Oracle Business Intelligence Enterprise Edition accessible data, as well as unauthorized access to critical data or complete access to all such data.
Oracle has published details on this vulnerability, including mitigation and patch information, in their security alert at https://www.oracle.com/security-alerts/cpujan2026.html.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3536
Vulnerability details
Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business…
more
Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local low-priv access to BI product enables unauthorized data read (T1005) and critical data manipulation (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Limits privileges of the low-privileged local account so it cannot perform the unauthorized data creation, deletion, modification, or access enabled by the vulnerability.
Enforces access control policies on the Oracle BI system to block the unauthorized data operations that result from successful exploitation.
Requires prompt installation of Oracle-supplied patches that eliminate the flaw allowing local low-privileged compromise of confidentiality and integrity.