HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35262Published Modified CNA oracle

CVE-2026-35262: Vulnerability in the Oracle Data Integrator product of Oracle Fusion Middleware (component: Market Place)

Vulnerability in the Oracle Data Integrator product of Oracle Fusion Middleware (component: Market Place). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Data Integrator. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Data Integrator accessible data as well as unauthorized access to critical data or complete access to all Oracle Data Integrator accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Data Integrator. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L).

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An access-control vulnerability in the Market Place component of Oracle Data Integrator (part of Oracle Fusion Middleware) allows a low-privileged attacker to reach the service over HTTP and compromise the product. No victim interaction is needed, and the exploit is reliable and condition-free. Successful exploitation gives the attacker full read and write access to all Oracle Data Integrator data, plus the ability to partially disrupt service availability. No fix version has been published yet; HarborGuard is tracking the advisory and will surface a patched-image rebuild the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle Data Integrator 12.2.1.4.0 or 14.1.2.0.0. Any registry or CI pipeline scan that touches an affected image will surface the finding immediately.

Available
Triage

HarborGuard scores this finding at CVSS 8.3 (High) and weights it against each environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

No fix version has been published by Oracle at this time. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a patch exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Data Integrator Market Place component over a network via HTTP; local or physical access is not required.

  • AuthenticationRequired

    A valid account is needed, but any low-privilege account is sufficient; no administrative credentials are required.

  • Victim interactionNot required

    The attacker acts entirely on their own; no user needs to click a link or take any action.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental setup.

Blast Radius

  • Reads all data accessible to Oracle Data Integrator, including credentials, integration metadata, and any business data exposed through configured connections.
  • Creates, modifies, or deletes critical data across all Oracle Data Integrator accessible datasets, including integration definitions and target-system records.
  • Partially disrupts Oracle Data Integrator service availability, causing degraded performance or intermittent outages for dependent integration workflows.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35262 is active across all scanning environments and will flag any image containing Oracle Data Integrator 12.2.1.4.0 or 14.1.2.0.0. Because Oracle has not published a fix version, no patched-image rebuild is available yet. In the interim, compensating controls worth considering include network-policy isolation that restricts HTTP access to the Market Place component to known and authorized source CIDRs only, and egress filtering to limit what the component can reach if it is compromised. Where compliance policy permits, HarborGuard can apply a network-isolation annotation to affected workloads as a holding measure. The advisory is re-checked on every ingest cycle; as soon as Oracle publishes a patched release, a rebuilt image will become available, and customers with auto-remediation enabled will receive a rebuild, regression-test run, and a PR opened against affected workloads automatically.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Data Integrator
    12.2.1.4.0 · 14.1.2.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
References