Skip to main content

Oracle Access Manager CVE-2026-35313

| EUVDEUVD-2026-37439 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

HTTP-reachable component (AV:N), Oracle states easily exploitable (AC:L), requires a low-privileged OAM account (PR:L), no user interaction, and OAM takeover cascades to protected apps (S:C, C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:40 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the identity broker via the Authentication Engine component, with a CVSS 9.9 score reflecting a scope-changing impact on downstream protected applications. No public exploit identified at time of analysis, but Oracle's June 2026 Critical Patch Update flags it as easily exploitable over HTTP, making it a high-priority patch for any environment using OAM for SSO/federation.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach OAM HTTP endpoint
Delivery
Authenticate with low-privileged account
Exploit
Send crafted request to Authentication Engine
Execution
Escalate to OAM administrative control
Persist
Mint or hijack SSO tokens (scope change)
Impact
Impersonate users across federated applications

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the Oracle Access Manager HTTP interface and a low-privileged authenticated account on the OAM tenant (CVSS PR:L), with no user interaction needed (UI:N) and low attack complexity (AC:L); the affected component is specifically the Authentication Engine in OAM 12.2.1.4.0 or 14.1.2.1.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a high-priority issue: CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H yields 9.9, with a scope change indicating impact beyond OAM itself onto the applications it protects. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains or registers a low-privileged account on an internet-reachable OAM instance, then sends crafted HTTP requests to the Authentication Engine to abuse the flaw and obtain elevated session artifacts or full administrative control of OAM. Because of the scope change, the attacker pivots from OAM takeover to forging or hijacking SSO sessions for downstream applications (Oracle E-Business Suite, PeopleSoft, custom web apps), effectively impersonating arbitrary users across the federated estate.
Remediation Apply the patches bundled in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) for Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 - this is the only vendor-released fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all OAM 12.2.1.4.0 and 14.1.2.1.0 instances; implement network segmentation restricting OAM access to authorized administrators; enable detailed audit logging on the Authentication Engine; disable HTTP access if HTTPS is available. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-35313 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy