Skip to main content

Oracle Access Manager CVE-2026-35261

| EUVDEUVD-2026-37394 MEDIUM
Improper Authentication (CWE-287)
2026-06-16 oracle
6.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible HTTP endpoint requires no credentials or interaction; limited data read/write impact with no availability effect and no scope change to downstream systems.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:13 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

AnalysisAI

Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modification without credentials. Affected deployments running versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Access Manager within Oracle Fusion Middleware are exposed via HTTP on the network, with no user interaction required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify OAM HTTP endpoint on network
Delivery
Send unauthenticated crafted HTTP request
Exploit
Trigger Authentication Engine bypass
Execution
Read subset of OAM authentication data
Impact
Perform unauthorized data insert, update, or delete

Vulnerability AssessmentAI

Exploitation No special conditions are required beyond network-level HTTP access to the Oracle Access Manager instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N establishes a moderately severe baseline - network-reachable, trivially exploitable without credentials or user interaction, but with bounded impact (partial confidentiality and integrity, no availability disruption, no scope change). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker with HTTP network access to an Oracle Access Manager instance sends a specially crafted HTTP request targeting the Authentication Engine on a vulnerable 12.2.1.4.0 or 14.1.2.1.0 deployment. By exploiting the authentication bypass flaw, the attacker is able to read a subset of OAM-accessible data (such as authentication policy data or session records) and perform unauthorized insert, update, or delete operations on that data without presenting valid credentials. …
Remediation Apply the patches issued in Oracle's Critical Patch Update (CPU) for June 2026, available at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses both affected versions 12.2.1.4.0 and 14.1.2.1.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-35261 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy