CVE-2026-35243
Published: 21 April 2026
Summary
CVE-2026-35243 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Application Development Framework. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 8.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-35243 by requiring timely patching of the ADF Faces vulnerability as detailed in Oracle's Critical Patch Update.
Enforces approved authorizations to counter the improper access control (CWE-284) flaw allowing low-privileged local attackers to takeover ADF.
Restricts low-privileged users' access on the infrastructure, limiting exploitation potential of the local logon vector leading to ADF compromise.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a local vulnerability (AV:L) with low privileges (PR:L) allowing an attacker with logon access to exploit improper access control (CWE-284) for full compromise/takeover of Oracle ADF, directly mapping to exploitation for privilege escalation.
NVD Description
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Application…
more
Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Deeper analysisAI
CVE-2026-35243 is a vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware, specifically the ADF Faces component. The supported versions affected are 12.2.1.4.0 and 14.1.2.0.0. It is associated with CWE-284 (Improper Access Control) and has a CVSS 3.1 base score of 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impacts to confidentiality, integrity, and availability.
The vulnerability is easily exploitable by a low privileged attacker who has logon access to the infrastructure where Oracle ADF executes. Successful attacks enable compromise and takeover of Oracle ADF.
Oracle has published details on mitigation in their April 2026 Critical Patch Update advisory, available at https://www.oracle.com/security-alerts/cpuapr2026.html.
Details
- CWE(s)