Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
HTTP-reachable component (AV:N), Oracle states easily exploitable (AC:L), requires a low-privileged OAM account (PR:L), no user interaction, and OAM takeover cascades to protected apps (S:C, C/I/A:H).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Privilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the identity broker via the Authentication Engine component, with a CVSS 9.9 score reflecting a scope-changing impact on downstream protected applications. No public exploit identified at time of analysis, but Oracle's June 2026 Critical Patch Update flags it as easily exploitable over HTTP, making it a high-priority patch for any environment using OAM for SSO/federation.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the Oracle Access Manager HTTP interface and a low-privileged authenticated account on the OAM tenant (CVSS PR:L), with no user interaction needed (UI:N) and low attack complexity (AC:L); the affected component is specifically the Authentication Engine in OAM 12.2.1.4.0 or 14.1.2.1.0. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to a high-priority issue: CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H yields 9.9, with a scope change indicating impact beyond OAM itself onto the applications it protects. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains or registers a low-privileged account on an internet-reachable OAM instance, then sends crafted HTTP requests to the Authentication Engine to abuse the flaw and obtain elevated session artifacts or full administrative control of OAM. Because of the scope change, the attacker pivots from OAM takeover to forging or hijacking SSO sessions for downstream applications (Oracle E-Business Suite, PeopleSoft, custom web apps), effectively impersonating arbitrary users across the federated estate. |
| Remediation | Apply the patches bundled in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) for Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 - this is the only vendor-released fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all OAM 12.2.1.4.0 and 14.1.2.1.0 instances; implement network segmentation restricting OAM access to authorized administrators; enable detailed audit logging on the Authentication Engine; disable HTTP access if HTTPS is available. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Access Manager
View allRemote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plug
Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modi
Remote exploitation of Oracle Access Manager's Authentication Engine allows unauthenticated network attackers - continge
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37439