CVE-2026-34310
Published: 21 April 2026
Summary
CVE-2026-34310 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Financial Services Analytical Applications Infrastructure. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific flaw in CVE-2026-34310 via Oracle's Critical Patch Update directly prevents exploitation leading to unauthorized data access.
Enforces approved authorizations to block unauthenticated access to critical data, directly addressing the CWE-284 improper access control vulnerability.
Monitors and controls HTTP network traffic at system boundaries to restrict unauthenticated remote access to the vulnerable platform component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated remote access control bypass (CWE-284) in a public-facing web application allowing direct HTTP access to sensitive data, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Platform). Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise…
more
Oracle Financial Services Analytical Applications Infrastructure. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Deeper analysisAI
CVE-2026-34310 is a vulnerability in the Platform component of the Oracle Financial Services Analytical Applications Infrastructure product within Oracle Financial Services Applications. The affected supported versions are 8.0.7.9, 8.0.8.7, and 8.1.2.5. This easily exploitable issue, associated with CWE-284 (Improper Access Control), has a CVSS 3.1 Base Score of 7.5, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, primarily impacting confidentiality.
An unauthenticated attacker with network access via HTTP can exploit this vulnerability to compromise the Oracle Financial Services Analytical Applications Infrastructure. Successful exploitation allows unauthorized access to critical data or complete access to all data accessible by the infrastructure.
Oracle has published details on mitigation in its Critical Patch Update advisory for April 2026, available at https://www.oracle.com/security-alerts/cpuapr2026.html.
Details
- CWE(s)