CVE-2026-22007
Unauthorized Data Access via API in Oracle Java SE Security
Publication date: 2026-04-21
Last updated on: 2026-04-27
Assigner: Oracle
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oracle | graalvm | 21.3.17 |
| oracle | graalvm_for_jdk | 17.0.18 |
| oracle | graalvm_for_jdk | 21.0.10 |
| oracle | jre | 1.8.0 |
| oracle | jre | 1.8.0 |
| oracle | jre | 1.8.0 |
| oracle | jre | 11.0.30 |
| oracle | jre | 17.0.18 |
| oracle | jre | 21.0.10 |
| oracle | jre | 25.0.2 |
| oracle | jre | 26 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 11.0.30 |
| oracle | jdk | 17.0.18 |
| oracle | jdk | 21.0.10 |
| oracle | jdk | 25.0.2 |
| oracle | jdk | 26 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized read access to a subset of accessible data in Oracle Java SE and related products. Such unauthorized data access could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over unauthorized access to sensitive data.
However, the vulnerability is described as difficult to exploit and requires an attacker to have logon access to the infrastructure where the affected products execute. The confidentiality impact is rated as low (CVSS score 2.9), indicating limited data exposure.
Organizations using affected Oracle Java SE or GraalVM products should consider this vulnerability in their risk assessments and ensure appropriate controls and monitoring are in place to maintain compliance with relevant standards and regulations.
Can you explain this vulnerability to me?
This vulnerability exists in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition within the Security component. It affects several supported versions including Oracle Java SE 8u481, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26, and specific versions of GraalVM.
The vulnerability is difficult to exploit and requires an unauthenticated attacker to have logon access to the infrastructure where these products execute. It can be exploited via APIs, for example through a web service supplying data to these APIs.
Successful exploitation can lead to unauthorized read access to some accessible data within these Oracle Java environments. It also affects Java deployments running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code relying on the Java sandbox for security.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with access to the infrastructure to read some data they should not be authorized to access within Oracle Java SE or GraalVM environments.
The impact is limited to confidentiality as the vulnerability does not affect integrity or availability.
Because exploitation requires local access and is difficult to exploit, the risk is somewhat mitigated but still present if an attacker gains the necessary access.