{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21973", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-01-05T18:07:34.715Z", "datePublished": "2026-01-20T21:56:36.283Z", "dateUpdated": "2026-01-21T17:22:59.687Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-01-20T21:56:36.283Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle FLEXCUBE Investor Servicing", "versions": [{"version": "14.5.0.15.0", "status": "affected", "versionType": "semver"}, {"version": "14.7.0.8.0", "status": "affected", "versionType": "semver"}, {"version": "14.8.0.1.0", "status": "affected", "versionType": "semver"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.5.0.15.0:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.7.0.8.0:*:*:*:*:*:*:*"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.8.0.1.0:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Security Management System). Supported versions that are affected are 14.5.0.15.0, 14.7.0.8.0 and 14.8.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-21T17:22:40.523062Z", "id": "CVE-2026-21973", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T17:22:59.687Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21973", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-21T17:22:40.523062Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-21T17:22:49.292Z"}}], "cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle FLEXCUBE Investor Servicing", "versions": [{"status": "affected", "version": "14.5.0.15.0", "versionType": "semver"}, {"status": "affected", "version": "14.7.0.8.0", "versionType": "semver"}, {"status": "affected", "version": "14.8.0.1.0", "versionType": "semver"}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Security Management System). Supported versions that are affected are 14.5.0.15.0, 14.7.0.8.0 and 14.8.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data."}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.5.0.15.0:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.7.0.8.0:*:*:*:*:*:*:*", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.8.0.1.0:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-01-20T21:56:36.283Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21973", "state": "PUBLISHED", "dateUpdated": "2026-01-21T17:22:59.687Z", "dateReserved": "2026-01-05T18:07:34.715Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2026-01-20T21:56:36.283Z", "assignerShortName": "oracle"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.5.0.15.0:*:*:*:*:*:*:*", "matchCriteriaId": "1F10A63A-C33C-4AF9-B191-9E1C316D767D", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.7.0.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "7BD60BD3-6A87-476B-A150-6BC4EA075D83", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:flexcube_investor_servicing:14.8.0.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "352D23AE-0660-4E40-B567-99E9C60A40C5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Security Management System). Supported versions that are affected are 14.5.0.15.0, 14.7.0.8.0 and 14.8.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)."}], "id": "CVE-2026-21973", "lastModified": "2026-02-02T18:38:25.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "secalert_us@oracle.com", "type": "Primary"}]}, "published": "2026-01-20T22:16:00.460", "references": [{"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T04:25:05.821247+00:00", "value": {"mitigation_remediation": ["Apply the latest Oracle security patch that addresses the access control flaw for all affected FLEXCUBE Investor Servicing releases, as described in Oracle\u2019s CPU Jan\u202f2026 advisory.", "Restrict HTTP access to the FLEXCUBE Installer by limiting connections to trusted IP addresses or moving the service behind a VPN or reverse proxy.", "Review and tighten role\u2011based permissions so that low\u2011privileged users retain only those privileges required for their duties; remove any rights that allow creation, deletion or modification of critical data."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized modification of critical data and potential deletion by low\u2011privileged attackers"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Oracle FLEXCUBE Investor Servicing versions 14.5.0.15.0, 14.7.0.8.0 and 14.8.0.1.0 as listed by Oracle. Enterprises using any of these releases are at risk if they expose the HTTP interface to untrusted users.", "description_and_impact": "Oracle FLEXCUBE Investor Servicing is vulnerable to an access control flaw that allows a low\u2011privileged attacker with network access via HTTP to create, delete or modify critical data. This flaw can result in significant confidentiality and integrity breaches as the attacker could alter or expunge vital financial information. The weakness is categorized by CWE\u2011284 (Improper Access Control).", "risk_and_exploitability": "The CVSS 3.1 base score is 8.1 with network access, low attack complexity, low privileges and no user interaction required. The EPSS score is below 1\u202f%, indicating low but non\u2011zero exploitation probability, and the issue is not yet listed in CISA\u2019s KEV catalog. The attack vector is clear: a network attacker can use HTTP to reach the vulnerable component and exploit the broken access controls to alter data."}}}}, "created": "2026-04-18T04:30:35.830988+00:00", "title": "Access Control Bypass Allows Low\u2011Privilege Attackers to Modify Critical Data in Oracle FLEXCUBE Investor Servicing", "updated": "2026-04-18T04:30:35.831015+00:00", "vendors": [], "weaknesses": ["CWE-284"]}