CVE-2026-34268
Unauthorized Data Access Vulnerability in Oracle Java SE Security APIs
Publication date: 2026-04-21
Last updated on: 2026-04-27
Assigner: Oracle
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oracle | jre | 1.8.0 |
| oracle | jre | 1.8.0 |
| oracle | jre | 1.8.0 |
| oracle | jre | 11.0.30 |
| oracle | jre | 17.0.18 |
| oracle | jre | 21.0.10 |
| oracle | jre | 25.0.2 |
| oracle | jre | 26 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 1.8.0 |
| oracle | jdk | 11.0.30 |
| oracle | jdk | 17.0.18 |
| oracle | jdk | 21.0.10 |
| oracle | jdk | 25.0.2 |
| oracle | jdk | 26 |
| oracle | graalvm | 21.3.17 |
| oracle | graalvm_for_jdk | 17.0.18 |
| oracle | graalvm_for_jdk | 21.0.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition, specifically in the Security component. It affects several supported versions of these products.
The vulnerability is difficult to exploit and requires an unauthenticated attacker to have logon access to the infrastructure where these Oracle products execute. The attacker can then compromise the affected Oracle Java SE or GraalVM products.
Successful exploitation can result in unauthorized read access to some accessible data within these products. The vulnerability can be exploited via APIs in the affected component, for example through a web service supplying data to these APIs.
It also applies to Java deployments running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code relying on the Java sandbox for security.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker with access to the infrastructure to gain unauthorized read access to certain data within Oracle Java SE or GraalVM environments.
Because the vulnerability is difficult to exploit and requires local logon access, the risk is somewhat limited to environments where an attacker can already access the system.
However, unauthorized data disclosure could lead to information leakage, which might affect confidentiality of sensitive information processed or stored by these Java environments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized read access to a subset of data accessible by Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition. Such unauthorized access to data could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls on unauthorized data access and confidentiality.
However, the vulnerability is described as difficult to exploit and requires an attacker to have logon access to the infrastructure where the affected products execute, which may limit the risk in some environments.
No specific information is provided about direct impacts on compliance frameworks or regulatory requirements in the available context.