CVE-2026-22011
Published: 21 April 2026
Summary
CVE-2026-22011 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Applications Dba. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-22011 by requiring timely application of Oracle Critical Patch Updates for the vulnerable ADPatch component in versions 12.2.3-12.2.15.
Enforces approved access authorizations to address the CWE-284 improper access control vulnerability in ADPatch, preventing high-privileged exploitation.
Limits high privileges (PR:H) required for exploitation, reducing the attack surface for network-accessible HTTP compromise of Oracle Applications DBA.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper access control in a network-accessible Oracle E-Business Suite component (HTTP) directly enables remote exploitation of a public-facing application (T1190) and facilitates privilege escalation to full component takeover with scope change (T1068).
NVD Description
Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: ADPatch). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks…
more
require human interaction from a person other than the attacker and while the vulnerability is in Oracle Applications DBA, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Applications DBA. CVSS 3.1 Base Score 7.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).
Deeper analysisAI
CVE-2026-22011 is a vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite, specifically the ADPatch component. Supported versions affected are 12.2.3 through 12.2.15. This difficult-to-exploit vulnerability, linked to CWE-284 (Improper Access Control), carries a CVSS 3.1 base score of 7.6 with the vector (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H), indicating high impacts to confidentiality, integrity, and availability.
A high-privileged attacker with network access via HTTP can exploit the vulnerability, though successful attacks require high attack complexity and human interaction from a person other than the attacker. Exploitation enables takeover of Oracle Applications DBA and, due to scope change, may significantly impact additional products.
Oracle's Critical Patch Update for April 2026 details patches and mitigation recommendations at https://www.oracle.com/security-alerts/cpuapr2026.html.
Details
- CWE(s)