Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
Local vector with high complexity and high privileges confirmed by description; confidentiality high due to full ADF data exposure; integrity low for partial write; no availability impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Development Framework (ADF) accessible data as well as unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N).
AnalysisAI
Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnerability in the ADF Faces component that allows a high-privileged attacker with infrastructure-level logon to bypass access controls and exfiltrate all ADF-accessible data. The CVSS vector (AV:L/AC:H/PR:H) confines exploitation to actors who already possess elevated local system access, making this a post-compromise lateral escalation risk rather than an initial entry point. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to have an existing authenticated logon (high-privilege OS or domain account) to the infrastructure host or virtual machine where Oracle ADF executes - this is not a remotely exploitable network-facing flaw. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The overall real-world risk is LOW-TO-MODERATE despite the High confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has already compromised a high-privileged OS or WebLogic domain account on the server hosting Oracle ADF leverages the ADF Faces access control flaw to bypass the application's internal data authorization layer - for example, accessing data scoped to other users or application roles. No public proof-of-concept exploit exists, so this scenario currently requires attacker-developed tooling and high attack complexity, limiting practical exploitation to sophisticated, targeted threat actors with existing foothold on ADF infrastructure. |
| Remediation | Apply the patches distributed in Oracle's June 2026 Critical Patch Update (CPU), available through My Oracle Support and documented at https://www.oracle.com/security-alerts/cspujun2026.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4
Cross-site scripting or authentication bypass in Oracle Application Development Framework (ADF) Security Framework compo
Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 ex
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37461