Vulnerability in Oracle Fusion Middleware's HTTP Server Component
CVE-2026-34291

8.7HIGH

Key Information:

Vendor: Oracle
Status: Oracle Http Server
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-34291?

An unauthenticated access vulnerability has been identified in the Oracle HTTP Server component of Oracle Fusion Middleware which affects the 12.2.1.4.0 and 14.1.2.0.0 versions. This vulnerability is challenging to exploit but allows attackers with network access to compromise the HTTP server without any authentication. The potential impact includes unauthorized creation, deletion, or modification of critical data, as well as unauthorized access to sensitive information within the Oracle HTTP Server environment. Given the interconnectedness of systems, successful exploitation may not only affect the HTTP server but could also lead to broader implications across various associated products.

Affected Version(s)

Oracle HTTP Server 12.2.1.4.0

Oracle HTTP Server 14.1.2.0.0

References

https://www.oracle.com/security-alerts/cpuapr2026.html

vendor-advisory

CVSS V3.1

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Mar 26, 2026

CVE-2026-34291 Data

JSON