CVE-2026-34275
Published: 21 April 2026
Summary
CVE-2026-34275 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Advanced Inbound Telephony. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of known vulnerabilities like CVE-2026-34275 through application of Oracle's Critical Patch Update, directly preventing exploitation.
Limits or prohibits unauthenticated actions on critical Setup and Administration functions, directly addressing the missing authentication (CWE-306) that enables takeover.
Enforces boundary protection to restrict unauthenticated network access via HTTP to the vulnerable Oracle Advanced Inbound Telephony component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation via HTTP of a public-facing application component, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Vulnerability in the Oracle Advanced Inbound Telephony product of Oracle E-Business Suite (component: Setup and Administration). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Inbound Telephony.…
more
Successful attacks of this vulnerability can result in takeover of Oracle Advanced Inbound Telephony. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Deeper analysisAI
CVE-2026-34275 is a vulnerability in the Oracle Advanced Inbound Telephony product, which is part of Oracle E-Business Suite, specifically affecting the Setup and Administration component. Supported versions impacted by this issue range from 12.2.3 to 12.2.15. The vulnerability, linked to CWE-306, carries a CVSS 3.1 base score of 9.8 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating critical severity due to high impacts on confidentiality, integrity, and availability.
An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise Oracle Advanced Inbound Telephony. Successful attacks enable takeover of the affected component, allowing full control over its confidentiality, integrity, and availability.
Oracle's Critical Patch Update for April 2026 provides details on this vulnerability, including patches and mitigation guidance, available at https://www.oracle.com/security-alerts/cpuapr2026.html.
Details
- CWE(s)