TL;DR: Oracle Java SE and GraalVM JAXP information disclosure, classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). Vendor (Oracle CPU April 2026): 7.5 HIGH. The Oracle CPU score reflects observed exploitation complexity for this JAXP component. Patch on the published score plus monitor for the multi-protocol attack vectors below.
What This Vulnerability Is
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE 8u481, 11.0.30, 17.0.18, 21.0.10, 25.0.2, 26; Oracle GraalVM for JDK 17.0.18 and 21.0.10; Oracle GraalVM Enterprise Edition 21.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
The Oracle Critical Patch Update for April 2026 assigned this issue a CVSS base score of 7.5, placing it in the HIGH category. The identifier CVE-2026-22016 was published on 21 April 2026. The weakness class is CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor).
- CVE Identifier
- CVE-2026-22016
- CVSS Base Score
- 7.5 / 10.0 (HIGH)
- CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N- Weakness Class
- CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
- Published
- 21 April 2026
- Vendor Advisory
- https://www.oracle.com/security-alerts/cpuapr2026.html
- NVD Entry
- https://nvd.nist.gov/vuln/detail/CVE-2026-22016
How a Sherlock Forensic Examiner Triages a Suspected Oracle Java JAXP Info Disclosure
If you suspect this vulnerability has been exploited against a Java application server the first artifact a Sherlock forensic examiner pulls is the JVM heap dump. CWE-200 information disclosure means the attacker walks away with data that should never have left process memory. On Linux pull a heap dump using jcmd <pid> GC.heap_dump /path/to/heap.hprof for the suspected process. Preserve the heap dump with a SHA-256 hash before opening it. Open the dump in Eclipse Memory Analyzer Tool or visualvm. Look for string buffers containing data classes that should not have been parsed by JAXP, particularly XML document fragments containing credentials, session tokens or PII that originated from sources outside the application boundary.
The second artifact is the JAXP parser configuration. JAXP is the standard Java API for XML Processing. The vulnerable code path in CVE-2026-22016 turns on info disclosure when the parser is configured with permissive defaults that allow external entity resolution or DTD processing. Pull the application configuration that constructs the SAXParserFactory, DocumentBuilderFactory or XMLInputFactory. Look for missing calls to setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true), missing disable-external-entity settings or explicit enabling of external DTD resolution. Document the parser-factory configuration as it existed at the time of suspected exploitation, then diff against the version-controlled baseline.
The third artifact is the network capture for the multi-protocol attack vector. The NVD scoring notes the vulnerability is exploitable over multiple protocols. Pull the network traffic capture for the application server for the suspected exploitation window. Filter for inbound XML payloads on application protocols (HTTP, RMI, JMX, SOAP web services) and outbound DNS queries or HTTP requests originating from the JVM that do not correspond to legitimate application behavior. XML external entity exploitation typically produces outbound DNS or HTTP traffic to attacker-controlled domains as the data-exfiltration channel.
The fourth artifact is the application access log cross-referenced against the database query log. Information disclosure exploitation that pivots through JAXP often reaches sensitive data through application-layer queries. Pull the application access log for the suspected exploitation window. Cross-reference application audit timestamps with database query timestamps. Unusual queries from application service accounts in the same window as the JAXP-disclosure window are the lateral-movement indicator that confirms the disclosure scope.
Detection Signature
Illustrative Sigma rule for SIEM-based detection. Tune the legitimate-application allowlist to your baseline before production deployment.
title: JAXP Parser External Entity Resolution CVE-2026-22016
id: cve-2026-22016-jaxp-info-disclosure
status: experimental
description: Detects JVM outbound DNS or HTTP requests to non-application domains that may indicate JAXP external entity exploitation.
logsource:
category: network_connection
product: linux
detection:
selection:
Image|endswith:
- '/java'
- '/javaw'
filter_legitimate:
DestinationHostname|contains:
- 'application-known-domain.example'
condition: selection and not filter_legitimate
level: medium
What to Do About It
- Apply the Oracle Critical Patch Update. Follow the Oracle April 2026 CPU advisory for the patched Java SE and GraalVM versions. Patch the JVM on every host running an affected version. Application vendors that bundle a JRE need to ship a separate patch update.
- Audit JAXP parser configuration across the application portfolio. Run the forensic triage above on any system showing the JAXP-disclosure indicator pattern. The Sherlock forensic angle in this analysis is grounded in primary-source NVD data plus Sherlock incident response methodology. If your team lacks the bandwidth, an external incident response engagement closes the gap.
- Subscribe to the CISA Known Exploited Vulnerabilities catalog. The CISA KEV catalog tracks CVEs with confirmed in-the-wild exploitation. Treat additions to the KEV catalog as emergency patch tickets.
- Document your response. Record what you checked, what you patched and what residual risk remains. This matters for compliance plus any incident response activity that follows.