CVE-2026-22016
Unauthenticated Remote Code Access via JAXP in Oracle Java SE
Publication date: 2026-04-21
Last updated on: 2026-04-27
Assigner: Oracle
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oracle | jre | 1.8.0 |
| oracle | jre | 1.8.0 |
| oracle | jre | 1.8.0 |
| oracle | jre | 11.0.30 |
| oracle | jre | 17.0.18 |
| oracle | jre | 21.0.10 |
| oracle | jre | 25.0.2 |
| oracle | jre | 26 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 11.0.30 |
| oracle | jdk | 17.0.18 |
| oracle | jdk | 21.0.10 |
| oracle | jdk | 25.0.2 |
| oracle | jdk | 26 |
| oracle | graalvm | 21.3.17 |
| oracle | graalvm_for_jdk | 17.0.18 |
| oracle | graalvm_for_jdk | 21.0.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically in the JAXP component. It allows an unauthenticated attacker with network access via multiple protocols to exploit the system easily. The attacker can use APIs, such as those exposed by web services, to compromise the affected products. The vulnerability also impacts Java deployments that run sandboxed Java Web Start applications or sandboxed Java applets which load and run untrusted code from the internet relying on the Java sandbox for security.
Successful exploitation can lead to unauthorized access to critical data or complete access to all data accessible by the affected Oracle Java SE and GraalVM products.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow attackers to gain unauthorized access to critical or all accessible data within the affected Oracle Java SE and GraalVM environments. This means sensitive information could be exposed or stolen without any user interaction or authentication.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated attacker with network access to gain unauthorized access to critical data or all accessible data in affected Oracle Java SE and GraalVM products.
Such unauthorized access to sensitive or critical data could potentially lead to non-compliance with data protection regulations and standards such as GDPR or HIPAA, which require protection of confidential data and prevention of unauthorized access.
However, the provided information does not explicitly describe the impact on compliance with these standards.