Skip to main content

Oracle ADF CVE-2026-46769

| EUVDEUVD-2026-37458 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
7.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

HTTP-reachable so AV:N, no special conditions AC:L, requires existing high-privileged ADF account so PR:H, no victim action UI:N, full takeover gives C/I/A:H.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:11 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Shared Components). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0, where an attacker with high privileges and HTTP network access to the ADF Shared Components can fully compromise the product. The CVSS 3.1 base score is 7.2 with high impact to confidentiality, integrity, and availability, and Oracle classifies the issue as easily exploitable once authentication is obtained. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privileged ADF credentials
Delivery
Reach ADF Shared Components over HTTP
Exploit
Send crafted request to vulnerable component
Execution
Achieve full ADF takeover
Impact
Impact confidentiality, integrity, and availability

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already possess high privileges on the target Oracle ADF deployment (PR:H) and network HTTP reachability to the ADF Shared Components interface; no user interaction is needed (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H produces a base score of 7.2 (High), driven by full C/I/A impact but tempered by the PR:H requirement that the attacker already hold high privileges within the ADF environment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already obtained high-privileged credentials on an Oracle Fusion Middleware environment - for example through a phished administrator account or a chained exploit elsewhere in the stack - sends crafted HTTP requests to the ADF Shared Components interface. Because the vector is AC:L and UI:N, the request requires no special timing and no victim interaction, and a successful request results in full takeover of the ADF instance with high impact to confidentiality, integrity, and availability. …
Remediation Apply the patches distributed in the Oracle Critical Security Patch Update for June 2026 referenced at https://www.oracle.com/security-alerts/cspujun2026.html - patch available per vendor advisory, with exact patched build numbers identified in the CPU matrix for the 12.2.1.4.0 and 14.1.2.0.0 release lines. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Oracle Fusion Middleware ADF 12.2.1.4.0 and 14.1.2.0.0; implement network access restrictions to ADF Shared Components limiting HTTP connectivity to administrative users only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46769 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy