CVE-2026-34279
Published: 21 April 2026
Summary
CVE-2026-34279 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Oracle Enterprise Manager Base Platform. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific missing authentication vulnerability in the Event Management component via timely application of Oracle's Critical Patch Update.
Limits permitted actions without identification or authentication to non-critical functions, directly countering CWE-306 in Event Management.
Enforces approved authorizations for all system resources, blocking high-privileged attackers from exploiting unauthenticated critical functions over HTTP.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is in a network-accessible (HTTP) component of the public-facing Oracle Enterprise Manager Base Platform; exploitation by a high-privileged attacker results in full platform takeover, directly enabling T1190.
NVD Description
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Event Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle…
more
Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Deeper analysisAI
CVE-2026-34279 is a vulnerability in the Event Management component of the Oracle Enterprise Manager Base Platform product within Oracle Enterprise Manager. The supported versions affected are 13.5 and 24.1. It is classified under CWE-306 (Missing Authentication for Critical Function) and carries a CVSS 3.1 base score of 9.1, with the vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, reflecting high impacts on confidentiality, integrity, and availability.
The vulnerability is easily exploitable by a high privileged attacker who has network access via HTTP. Exploitation allows the attacker to compromise the Oracle Enterprise Manager Base Platform, resulting in a full takeover. While the flaw is contained within the Base Platform, attacks can significantly impact additional products due to a change in scope.
Details on patches and mitigations are available in Oracle's Critical Patch Update advisory for April 2026 at https://www.oracle.com/security-alerts/cpuapr2026.html.
Details
- CWE(s)