Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-accessible HTTP endpoint requires no credentials or interaction; limited data read/write impact with no availability effect and no scope change to downstream systems.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
AnalysisAI
Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modification without credentials. Affected deployments running versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Access Manager within Oracle Fusion Middleware are exposed via HTTP on the network, with no user interaction required. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions are required beyond network-level HTTP access to the Oracle Access Manager instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N establishes a moderately severe baseline - network-reachable, trivially exploitable without credentials or user interaction, but with bounded impact (partial confidentiality and integrity, no availability disruption, no scope change). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker with HTTP network access to an Oracle Access Manager instance sends a specially crafted HTTP request targeting the Authentication Engine on a vulnerable 12.2.1.4.0 or 14.1.2.1.0 deployment. By exploiting the authentication bypass flaw, the attacker is able to read a subset of OAM-accessible data (such as authentication policy data or session records) and perform unauthorized insert, update, or delete operations on that data without presenting valid credentials. … |
| Remediation | Apply the patches issued in Oracle's Critical Patch Update (CPU) for June 2026, available at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses both affected versions 12.2.1.4.0 and 14.1.2.1.0. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Access Manager
View allPrivilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote atta
Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plug
Remote exploitation of Oracle Access Manager's Authentication Engine allows unauthenticated network attackers - continge
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37394