Skip to main content

Oracle ADF CVE-2026-46770

| EUVDEUVD-2026-37459 MEDIUM
Improper Access Control (CWE-284)
2026-06-16 oracle
6.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-delivered via HTTP with no auth required; mandatory victim interaction (UI:R) and scope change (S:C) reflect client-side injection with cross-component impact; no availability impact applies.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:28 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Development Framework (ADF), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data as well as unauthorized read access to a subset of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

AnalysisAI

Cross-site scripting or authentication bypass in Oracle Application Development Framework (ADF) Security Framework component allows network-based unauthenticated attackers to compromise versions 12.2.1.4.0 and 14.1.2.0.0 via HTTP when a victim user interacts with a malicious payload. Successful exploitation results in unauthorized read access to a subset of ADF data and unauthorized modification of ADF-accessible data, with a confirmed scope change indicating downstream impact on additional Oracle Fusion Middleware products. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker crafts malicious HTTP URL
Delivery
Deliver link to victim via phishing or web redirect
Exploit
Victim clicks link triggering HTTP request
Install
ADF Security Framework processes malicious payload
C2
Browser executes attacker payload in victim session context
Execute
Unauthorized read and write access to ADF data
Impact
Impact propagates to additional Fusion Middleware products via scope change

Vulnerability AssessmentAI

Exploitation Exploitation requires a victim user to interact with attacker-controlled content, such as clicking a crafted HTTP link or visiting a page that triggers a cross-origin request to the ADF application (UI:R mandatory condition). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.1 (Medium) reflects a network-exploitable, low-complexity flaw requiring no authentication, but tempered by mandatory human interaction (UI:R), which significantly reduces opportunistic exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious HTTP URL targeting an Oracle ADF application's Security Framework endpoint and distributes it via phishing email or a compromised third-party site. A logged-in or unauthenticated victim user clicks the link, causing their browser to execute the attacker's payload within the ADF application context, resulting in the attacker reading a subset of the user's ADF-accessible data and performing unauthorized data modifications - potentially extending to additional integrated Fusion Middleware components due to the scope change. …
Remediation Apply Oracle's Critical Patch Update (CPU) for June 2026, available via the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses CVE-2026-46770 in Oracle ADF versions 12.2.1.4.0 and 14.1.2.0.0. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46770 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy