CVE-2026-22010
Published: 21 April 2026
Summary
CVE-2026-22010 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Financial Services Analytical Applications Infrastructure. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access, directly addressing the improper access control (CWE-284) that allows unauthenticated attackers to access critical data.
Requires identification, reporting, and correction of flaws like this CVE via patching from Oracle's Critical Patch Update, eliminating the vulnerability.
Monitors and controls communications at external interfaces, blocking unauthenticated HTTP network access required to exploit the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated network exploitation of a public-facing Oracle web application due to improper access control (CWE-284), enabling unauthorized data access.
NVD Description
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise…
more
Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Deeper analysisAI
CVE-2026-22010 is a vulnerability in the Platform component of the Oracle Financial Services Analytical Applications Infrastructure product within Oracle Financial Services Applications. The affected supported versions are 8.0.7.9, 8.0.8.7, and 8.1.2.5. This easily exploitable issue, associated with CWE-284 (Improper Access Control), has a CVSS 3.1 Base Score of 7.5, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, primarily impacting confidentiality.
An unauthenticated attacker with network access via HTTP can exploit this vulnerability to compromise the Oracle Financial Services Analytical Applications Infrastructure. Successful exploitation results in unauthorized access to critical data or complete access to all data accessible by the infrastructure.
For mitigation details, refer to Oracle's Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpuapr2026.html, published on 2026-04-21.
Details
- CWE(s)