Skip to main content

Oracle Access Manager CVE-2026-35314

| EUVDEUVD-2026-37440 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
7.3
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
7.3 HIGH

WebGate is reachable over HTTP with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); description limits impact to subset read, partial write, and partial DoS, so C:L/I:L/A:L and S:U.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:41 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Web Server Plugin). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Access Manager. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

AnalysisAI

Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plugin component over HTTP, allowing attackers to alter or read subsets of OAM data and trigger partial denial of service. The flaw carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N) and is rated easily exploitable by Oracle. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify OAM WebGate-protected endpoint
Delivery
Send crafted HTTP request to plugin
Exploit
Trigger flaw in Web Server Plugin
Execution
Gain partial read/write to OAM data
Impact
Degrade OAM availability for SSO consumers

Vulnerability AssessmentAI

Exploitation Exploitation requires only network HTTP reachability to an Oracle Access Manager Web Server Plugin (WebGate) deployment running version 12.2.1.4.0 or 14.1.2.1.0; no authentication, no user interaction, and no special non-default configuration are called out in the description (PR:N/UI:N/AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L = 7.3) describes a network-reachable, low-complexity, unauthenticated flaw with partial impact across all three CIA dimensions - a strong real-world risk profile for an internet-exposed identity component, since OAM/WebGate is typically the front door to enterprise SSO. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external attacker enumerates an organization's SSO entry point, identifies an OAM-protected web application by its WebGate redirect, and sends crafted HTTP requests directly to the WebGate-fronted endpoint without any credentials. The requests exploit the Web Server Plugin to read, modify, or delete a subset of OAM-accessible data and to degrade the OAM service, undermining SSO availability for downstream applications. …
Remediation Apply the fixes from the Oracle Critical Patch Update June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to OAM 12.2.1.4.0 and 14.1.2.1.0 deployments, including the Web Server Plugin (WebGate) binaries on every front-end HTTP server - patching only the OAM server tier is insufficient because the vulnerable component is the plugin. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 deployments and document internet exposure; immediately restrict HTTP access to OAM Web Server Plugin if externally accessible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-35314 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy