Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Vendor vector confirmed: local infrastructure access and high existing privileges required; only confidentiality impacted with no integrity or availability effect.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: Java Business Objects). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).
AnalysisAI
Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 exposes all ADF-accessible data to a high-privileged local attacker who can exploit the Java Business Objects component. The vulnerability requires physical or logical access to the infrastructure host and a high-complexity attack path, substantially limiting realistic threat surface. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; Oracle addressed this issue in the June 2026 Critical Security Patch Update.
Technical ContextAI
Oracle Application Development Framework (ADF) is a Java EE-based enterprise application development platform, part of Oracle Fusion Middleware. The affected component is Java Business Objects - the data-binding and business service layer that mediates between ADF UI components and backend data sources. The CPE string (cpe:2.3:a:oracle_corporation:oracle_application_development_framework_(adf)) confirms the vulnerability resides in Oracle's proprietary ADF runtime stack rather than a third-party library. The CWE classification is not provided by Oracle, which is consistent with Oracle's general CPU advisory practice of omitting detailed root-cause taxonomy. The 'Authentication Bypass' tag supplied in the intelligence feed is contradicted by the CVSS vector (PR:H), suggesting either that the bypass occurs within a session already holding high privileges - such as bypassing object-level authorization checks rather than bypassing the authentication gate - or that the tag reflects a broader category label rather than a precise exploit primitive. The CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N vector indicates the flaw is exercisable only by an attacker who has already obtained local OS-level access and high application privileges, placing this firmly in a post-compromise or insider-threat model.
RemediationAI
Apply the Oracle Critical Security Patch Update (CPU) for June 2026, which addresses CVE-2026-46771 for ADF versions 12.2.1.4.0 and 14.1.2.0.0. The advisory is available at https://www.oracle.com/security-alerts/cspujun2026.html. An exact patched release version was not independently specified in the advisory data beyond the CPU itself, so administrators should consult Oracle My Oracle Support (MOS) for the precise patch bundle applicable to their ADF and Fusion Middleware versions. Until patching is complete, compensating controls should focus on restricting local OS access to the host running ADF - enforce strong role-based access controls on infrastructure accounts, limit high-privilege ADF application roles to the minimum set of users, enable detailed audit logging of ADF Business Objects queries to detect anomalous data access patterns, and review whether network-level segmentation can reduce the population of users with valid host logon access. These controls do not eliminate the vulnerability but materially reduce the realistic attacker population given the AV:L/PR:H constraint.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37460