CVE-2026-22013
JGSS Vulnerability in Oracle Java SE Allows Unauthorized Data Access
Publication date: 2026-04-21
Last updated on: 2026-04-27
Assigner: Oracle
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oracle | jdk | 1.8.0 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 11.0.30 |
| oracle | jdk | 17.0.18 |
| oracle | jdk | 21.0.10 |
| oracle | jdk | 25.0.2 |
| oracle | jdk | 26 |
| oracle | graalvm | 21.3.17 |
| oracle | graalvm_for_jdk | 17.0.18 |
| oracle | graalvm_for_jdk | 21.0.10 |
| oracle | jre | 1.8.0 |
| oracle | jre | 1.8.0 |
| oracle | jre | 1.8.0 |
| oracle | jre | 11.0.30 |
| oracle | jre | 17.0.18 |
| oracle | jre | 21.0.10 |
| oracle | jre | 25.0.2 |
| oracle | jre | 26 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-693 | The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically in the JGSS component. It is a difficult to exploit issue that allows an unauthenticated attacker with network access through multiple protocols to potentially compromise these products.
Successful exploitation requires human interaction from someone other than the attacker. The vulnerability mainly impacts Java deployments that run untrusted code, such as sandboxed Java Web Start applications or sandboxed Java applets that load code from the internet and rely on the Java sandbox for security.
If exploited, it can lead to unauthorized access to critical or all accessible data within the affected Oracle Java environments. It does not affect Java deployments that only run trusted code installed by an administrator, typically server environments.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to critical or all accessible data within Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition environments.
Because exploitation requires network access and human interaction, an attacker could trick a user into triggering the vulnerability, potentially exposing sensitive information.
The impact is mainly on client-side Java applications that run untrusted code, which could result in data breaches or exposure of confidential information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can result in unauthorized access to critical data or complete access to all accessible data within affected Oracle Java SE and GraalVM products. Such unauthorized access to sensitive or personal data could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding confidential information against unauthorized access.
However, the vulnerability specifically affects Java deployments that run untrusted code in sandboxed environments and requires user interaction, which may limit the scope of exposure. There is no direct mention of compliance impact in the provided information.