CVE-2026-35229
Published: 21 April 2026
Summary
CVE-2026-35229 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Java Virtual Machine. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the specific vulnerability in the Oracle Database Server Java VM by requiring timely patching as per Oracle's Critical Patch Update.
Enforces network boundaries to restrict unauthenticated network access via Oracle Net to the vulnerable Java VM component.
Monitors system and network activity for indicators of exploitation attempts against the Java VM via anomalous Oracle Net traffic.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote unauthenticated network exploit (via Oracle Net) against a public-facing database server component, directly enabling T1190 for initial access and data exposure.
NVD Description
Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.30 and 21.3-21.21. Easily exploitable vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Java VM. Successful attacks of this vulnerability…
more
can result in unauthorized access to critical data or complete access to all Java VM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Deeper analysisAI
CVE-2026-35229 is a vulnerability in the Java VM component of Oracle Database Server. Supported versions affected include 19.3 through 19.30 and 21.3 through 21.21. The issue, associated with CWE-284 (Improper Access Control), was published on 2026-04-21 and carries a CVSS 3.1 Base Score of 7.5 (High) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating high confidentiality impact but no integrity or availability effects.
An unauthenticated attacker with network access via Oracle Net can easily exploit this vulnerability to compromise the Java VM. Successful exploitation grants unauthorized access to critical data or complete access to all data accessible by the Java VM, potentially exposing sensitive information within the database environment.
Oracle's security advisory at https://www.oracle.com/security-alerts/cpuapr2026.html, part of the April 2026 Critical Patch Update, details patches and mitigation steps for addressing this vulnerability. Security practitioners should apply the relevant updates promptly to affected Oracle Database Server installations.
Details
- CWE(s)