Cyber Resilience

CVE-2026-35231

High

Published: 21 April 2026

Published
21 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0005 17.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35231 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Financial Services Transaction Filtering. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-35231 is a vulnerability in the User Interface component of Oracle Financial Services Transaction Filtering, a product within Oracle Financial Services Applications. The supported version affected is 8.1.2.8.0. It is classified under CWE-284 and was published on 2026-04-21.

The vulnerability is easily exploitable by an unauthenticated attacker with network access via HTTP, allowing them to compromise Oracle Financial Services Transaction Filtering. Successful attacks can result in unauthorized access to critical data or complete access to all data accessible within the product. The CVSS 3.1 base score is 7.5, with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, reflecting high confidentiality impact and no integrity or availability effects.

Mitigation details are provided in the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cpuapr2026.html.

EU & UK References

Vulnerability details

Vulnerability in the Oracle Financial Services Transaction Filtering product of Oracle Financial Services Applications (component: User Interface). The supported version that is affected is 8.1.2.8.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial…

more

Services Transaction Filtering. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financial Services Transaction Filtering accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

The vulnerability allows unauthenticated remote exploitation via HTTP against a public-facing web UI component, directly mapping to T1190. Successful exploitation grants unauthorized access to critical data within the product, facilitating T1005 for data collection from the local system.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-46839Same vendor: Oracle
CVE-2026-34291Same vendor: Oracle
CVE-2026-46822Same vendor: Oracle
CVE-2026-22010Same vendor: Oracle
CVE-2026-21962Same vendor: Oracle
CVE-2026-35229Same vendor: Oracle
CVE-2026-21997Same vendor: Oracle
CVE-2026-46821Same vendor: Oracle
CVE-2025-50060Same vendor: Oracle
CVE-2026-34310Same vendor: Oracle

Affected Assets

oracle
financial services transaction filtering
8.1.2.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the specific UI vulnerability by identifying, prioritizing, and applying the Oracle Critical Patch Update to remediate the flaw.

prevent

Monitors and controls network communications at external boundaries to block unauthenticated HTTP access to the vulnerable User Interface component.

prevent

Enforces approved access authorizations in the system, directly countering the CWE-284 improper access control allowing unauthorized data disclosure via the UI.

References