CVE-2026-35231

High

Published: 21 April 2026

Published

21 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0005 15.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35231 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Financial Services Transaction Filtering. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the specific UI vulnerability by identifying, prioritizing, and applying the Oracle Critical Patch Update to remediate the flaw.

SC-7 Boundary Protection good match

prevent

Monitors and controls network communications at external boundaries to block unauthenticated HTTP access to the vulnerable User Interface component.

AC-3 Access Enforcement good match

prevent

Enforces approved access authorizations in the system, directly countering the CWE-284 improper access control allowing unauthorized data disclosure via the UI.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation via HTTP against a public-facing web UI component, directly mapping to T1190. Successful exploitation grants unauthorized access to critical data within the product, facilitating T1005 for data collection from the local system.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability in the Oracle Financial Services Transaction Filtering product of Oracle Financial Services Applications (component: User Interface). The supported version that is affected is 8.1.2.8.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial…

Services Transaction Filtering. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Transaction Filtering accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Deeper analysisAI

CVE-2026-35231 is a vulnerability in the User Interface component of Oracle Financial Services Transaction Filtering, a product within Oracle Financial Services Applications. The supported version affected is 8.1.2.8.0. It is classified under CWE-284 and was published on 2026-04-21.

The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTP, allowing them to compromise Oracle Financial Services Transaction Filtering. Successful attacks can result in unauthorized access to critical data or complete access to all data accessible within the product. The CVSS 3.1 base score is 7.5, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, reflecting high confidentiality impact and no integrity or availability effects.

Mitigation details are provided in the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpuapr2026.html.

Details

CWE(s): CWE-284

Affected Products

oracle

financial services transaction filtering

8.1.2.8.0

CVEs Like This One

CVE-2025-50105Same vendor: Oracle

CVE-2026-34287Same vendor: Oracle

CVE-2026-21962Same vendor: Oracle

CVE-2025-50060Same vendor: Oracle

CVE-2026-21994Same vendor: Oracle

CVE-2026-21997Same vendor: Oracle

CVE-2026-22010Same vendor: Oracle

CVE-2026-34291Same vendor: Oracle

CVE-2026-34310Same vendor: Oracle

CVE-2026-35229Same vendor: Oracle

References

https://www.oracle.com/security-alerts/cpuapr2026.html
Vendor Advisory · secalert_us@oracle.com