Skip to main content

Oracle Data Integrator EUVDEUVD-2026-37395

| CVE-2026-35262 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.3
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.3 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
vuln.today AI
8.3 HIGH

Network HTTP reach (AV:N), Oracle calls it easily exploitable (AC:L), a low-privileged ODI account is required (PR:L), no user interaction, with full read/write impact on ODI data and partial DoS (C:H/I:H/A:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:16 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Data Integrator product of Oracle Fusion Middleware (component: Market Place). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Data Integrator. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Data Integrator accessible data as well as unauthorized access to critical data or complete access to all Oracle Data Integrator accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Data Integrator. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

AnalysisAI

Authenticated tampering and data exposure in Oracle Data Integrator 12.2.1.4.0 and 14.1.2.0.0 (Market Place component) allows a low-privileged attacker with HTTP network access to read, modify, or delete all data accessible to the product and induce a partial denial of service. Oracle assigns a CVSS 3.1 base score of 8.3 (AV:N/AC:L/PR:L/UI:N/C:H/I:H/A:L), and no public exploit identified at time of analysis. The flaw is described by Oracle as easily exploitable, raising the priority for any externally reachable ODI deployment.

Technical ContextAI

Oracle Data Integrator (ODI) is an enterprise ETL/ELT and data integration platform within Oracle Fusion Middleware, used to orchestrate batch and bulk data movement across heterogeneous databases and applications. The affected Market Place component handles integration with Oracle's Marketplace catalog and related provisioning workflows over HTTP. No CWE is assigned in the input, but the combination of high confidentiality and integrity impact at low privilege strongly suggests broken access control or authorization-bypass logic in a Market Place HTTP endpoint, allowing an authenticated ODI user to act beyond their intended role rather than a memory-corruption or injection class issue.

RemediationAI

Patch available per vendor advisory: apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to Oracle Data Integrator 12.2.1.4.0 and 14.1.2.0.0 - Oracle does not publish a single 'fixed' version string in the advisory body, so the exact patched build must be taken from the CPU's ODI section. Until the CPU can be applied, restrict HTTP access to the ODI Market Place component and the broader ODI Studio/Console endpoints to trusted management networks via firewall or reverse-proxy ACLs, and audit low-privileged ODI accounts to reduce the pool of identities that satisfy PR:L; note that network restrictions will block legitimate Marketplace browsing and account audits may disrupt scheduled integration jobs run under service accounts. Rotate credentials and review ODI repository audit logs for unexpected create/modify/delete actions on integration artifacts before assuming the environment is clean post-patch.

Share

EUVD-2026-37395 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy