Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Network HTTP reach (AV:N), Oracle calls it easily exploitable (AC:L), a low-privileged ODI account is required (PR:L), no user interaction, with full read/write impact on ODI data and partial DoS (C:H/I:H/A:L).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Data Integrator product of Oracle Fusion Middleware (component: Market Place). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Data Integrator. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Data Integrator accessible data as well as unauthorized access to critical data or complete access to all Oracle Data Integrator accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Data Integrator. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).
AnalysisAI
Authenticated tampering and data exposure in Oracle Data Integrator 12.2.1.4.0 and 14.1.2.0.0 (Market Place component) allows a low-privileged attacker with HTTP network access to read, modify, or delete all data accessible to the product and induce a partial denial of service. Oracle assigns a CVSS 3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:L), and no public exploit identified at time of analysis. The flaw is described by Oracle as easily exploitable, raising the priority for any externally reachable ODI deployment.
Technical ContextAI
Oracle Data Integrator (ODI) is an enterprise ETL/ELT and data integration platform within Oracle Fusion Middleware, used to orchestrate batch and bulk data movement across heterogeneous databases and applications. The affected Market Place component handles integration with Oracle's Marketplace catalog and related provisioning workflows over HTTP. No CWE is assigned in the input, but the combination of high confidentiality and integrity impact at low privilege strongly suggests broken access control or authorization-bypass logic in a Market Place HTTP endpoint, allowing an authenticated ODI user to act beyond their intended role rather than a memory-corruption or injection class issue.
RemediationAI
Patch available per vendor advisory: apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to Oracle Data Integrator 12.2.1.4.0 and 14.1.2.0.0 - Oracle does not publish a single 'fixed' version string in the advisory body, so the exact patched build must be taken from the CPU's ODI section. Until the CPU can be applied, restrict HTTP access to the ODI Market Place component and the broader ODI Studio/Console endpoints to trusted management networks via firewall or reverse-proxy ACLs, and audit low-privileged ODI accounts to reduce the pool of identities that satisfy PR:L; note that network restrictions will block legitimate Marketplace browsing and account audits may disrupt scheduled integration jobs run under service accounts. Rotate credentials and review ODI repository audit logs for unexpected create/modify/delete actions on integration artifacts before assuming the environment is clean post-patch.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37395