CVE-2026-21969

Critical

Published: 20 January 2026

Published

20 January 2026

Modified

29 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0026 49.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle…

Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the critical vulnerability in Oracle Agile PLM Supplier Portal version 6.2.4 through timely application of vendor-provided patches.

SC-7 Boundary Protection partial match

prevent

Restricts network access via boundary protections such as firewalls or WAFs to the HTTP-exposed Supplier Portal, limiting unauthenticated remote exploitation opportunities.

AC-14 Permitted Actions Without Identification or Authentication partial match

prevent

Limits functions and actions permitted without identification or authentication in the Supplier Portal, mitigating risks from unauthenticated attackers achieving takeover.

Security SummaryAI

CVE-2026-21969 is a vulnerability in the Supplier Portal component of Oracle Agile Product Lifecycle Management for Process, a product within Oracle Supply Chain. The supported version affected is 6.2.4. Published on 2026-01-20, it carries a CVSS 3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts to confidentiality, integrity, and availability.

The vulnerability is easily exploitable by an unauthenticated attacker who has network access via HTTP. Successful exploitation allows the attacker to compromise Oracle Agile Product Lifecycle Management for Process, resulting in a full takeover of the application.

Oracle has published a security advisory with details on mitigation and patches at https://www.oracle.com/security-alerts/cpujan2026.html. Security practitioners should consult this advisory for specific remediation steps applicable to version 6.2.4.

Details

CWE(s): NVD-CWE-noinfo

Affected Products

oracle

agile product lifecycle management for process

6.2.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability allows unauthenticated remote exploitation via HTTP of a public-facing Supplier Portal web application, directly enabling T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.oracle.com/security-alerts/cpujan2026.html
Vendor Advisory · secalert_us@oracle.com