{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34312", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "state": "PUBLISHED", "assignerShortName": "oracle", "dateReserved": "2026-03-26T19:48:45.680Z", "datePublished": "2026-04-21T20:35:37.341Z", "dateUpdated": "2026-04-22T13:33:06.163Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:37.341Z"}, "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows high privileged attacker having Row Access Method privilege with network access via multiple protocols to compromise RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of RDBMS accessible data."}]}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Database Server", "versions": [{"version": "19.3", "status": "affected", "lessThanOrEqual": "19.30", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:database_-_rdbms:*:*:*:*:*:*:*:*", "versionStartIncluding": "19.3", "versionEndIncluding": "19.30"}]}]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the RDBMS component of Oracle Database Server. Supported versions that are affected are 19.3-19.30. Easily exploitable vulnerability allows high privileged attacker having Row Access Method privilege with network access via multiple protocols to compromise RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of RDBMS accessible data. CVSS 3.1 Base Score 2.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)."}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "metrics": [{"cvssV3_1": {"attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "baseScore": 2.4, "baseSeverity": "LOW"}}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-284", "lang": "en", "description": "CWE-284 Improper Access Control"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:31:59.633092Z", "id": "CVE-2026-34312", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:33:06.163Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.4, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Oracle Corporation", "product": "Oracle Database Server", "versions": [{"status": "affected", "version": "19.3", "versionType": "custom", "lessThanOrEqual": "19.30"}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpuapr2026.html", "name": "Oracle Advisory", "tags": ["vendor-advisory"]}], "descriptions": [{"lang": "en-US", "value": "Vulnerability in the RDBMS component of Oracle Database Server. Supported versions that are affected are 19.3-19.30. Easily exploitable vulnerability allows high privileged attacker having Row Access Method privilege with network access via multiple protocols to compromise RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of RDBMS accessible data. CVSS 3.1 Base Score 2.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "description": "Easily exploitable vulnerability allows high privileged attacker having Row Access Method privilege with network access via multiple protocols to compromise RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of RDBMS accessible data."}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oracle:database_-_rdbms:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "19.30", "versionStartIncluding": "19.3"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle", "dateUpdated": "2026-04-21T20:35:37.341Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34312", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-22T13:31:59.633092Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-284", "description": "CWE-284 Improper Access Control"}]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-22T13:32:42.531Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-34312", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:35:37.341Z", "dateReserved": "2026-03-26T19:48:45.680Z", "assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "datePublished": "2026-04-21T20:35:37.341Z", "assignerShortName": "oracle"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:database_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "966F6BE9-5DC7-40E3-929E-6DB1BD5E6336", "versionEndIncluding": "19.30", "versionStartIncluding": "19.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the RDBMS component of Oracle Database Server. Supported versions that are affected are 19.3-19.30. Easily exploitable vulnerability allows high privileged attacker having Row Access Method privilege with network access via multiple protocols to compromise RDBMS. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of RDBMS accessible data. CVSS 3.1 Base Score 2.4 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N)."}], "id": "CVE-2026-34312", "lastModified": "2026-04-27T13:04:16.970", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 1.4, "source": "secalert_us@oracle.com", "type": "Secondary"}]}, "published": "2026-04-21T21:16:36.650", "references": [{"source": "secalert_us@oracle.com", "tags": ["Vendor Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2026.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[19.3,19.30]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "database_-_rdbms", "vendor": "oracle"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[19.3,19.30]"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 86.0, "source": "matching"}]}, "original": {"product": "Oracle Database Server", "source": "cna", "vendor": "Oracle Corporation"}, "product": "database_server", "vendor": "oracle"}], "analysis": {"en": {"generated_at": "2026-04-22T04:53:51.472740+00:00", "value": {"mitigation_remediation": ["Apply the Oracle Database Server patch that addresses this issue or upgrade to a newer supported version that includes the fix.", "Re\u2011evaluate the assignment of Row\u00a0Access\u00a0Method privileges; limit them to the minimum set of users who truly need them and monitor any changes to these privileges.", "Disable unnecessary network protocols used to connect to the database and employ network segmentation or firewall rules to restrict exposure to only trusted hosts.", "Implement vigilant logging and monitoring of data access patterns to detect potential misuse of authorized privileges."], "summary": {"action": "Assess Impact", "impact": "Unauthorized read access to a subset of RDBMS data"}, "threat_synthesis": {"affected_systems": "Oracle Database Server versions 19.3 up to and including 19.30 are affected. These releases are currently supported and are the only ones identified for this vulnerability.", "description_and_impact": "The vulnerability in Oracle Database Server\u2019s RDBMS component allows a high\u2011privileged attacker who already possesses a Row\u00a0Access\u00a0Method privilege to read data stored within the database. To succeed the attacker must have network access through any of the supported protocols and the attack requires human interaction with a user other than the attacker. The impact is confined to confidentiality, with no direct effect on integrity or availability.", "risk_and_exploitability": "The CVSS\u00a03.1 base score of 2.4 indicates a low severity vulnerability that impacts confidentiality only. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, suggesting a limited likelihood of widespread exploitation. The exploit requires both network connectivity and privileged access, and also a second human actor, which further reduces the practical feasibility of an attack. However, in environments where the Row\u00a0Access\u00a0Method privilege is granted broadly, the potential for unauthorized read of data remains a concern."}}}}, "created": "2026-04-22T02:30:05.614010+00:00", "title": "Unauthorized Read Access via Row Access Method Privilege in Oracle Database Server", "updated": "2026-04-22T11:45:11.805005+00:00", "vendors": ["oracle", "oracle$PRODUCT$database_-_rdbms", "oracle$PRODUCT$database_server"], "weaknesses": ["CWE-284"]}