Skip to main content

Oracle ADF CVE-2026-46772

| EUVDEUVD-2026-37461 MEDIUM
Improper Access Control (CWE-284)
2026-06-16 oracle
4.7
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
4.7 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
4.7 MEDIUM

Local vector with high complexity and high privileges confirmed by description; confidentiality high due to full ADF data exposure; integrity low for partial write; no availability impact.

3.1 AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
4.0 AV:L/AC:H/AT:P/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:27 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Development Framework (ADF) accessible data as well as unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N).

AnalysisAI

Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnerability in the ADF Faces component that allows a high-privileged attacker with infrastructure-level logon to bypass access controls and exfiltrate all ADF-accessible data. The CVSS vector (AV:L/AC:H/PR:H) confines exploitation to actors who already possess elevated local system access, making this a post-compromise lateral escalation risk rather than an initial entry point. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege local or domain credentials
Delivery
Authenticate to ADF infrastructure host
Exploit
Identify ADF Faces access control boundary
Execution
Craft request exploiting authorization bypass
Persist
Access all ADF-accessible confidential data
Impact
Perform unauthorized data modification

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to have an existing authenticated logon (high-privilege OS or domain account) to the infrastructure host or virtual machine where Oracle ADF executes - this is not a remotely exploitable network-facing flaw. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The overall real-world risk is LOW-TO-MODERATE despite the High confidentiality impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already compromised a high-privileged OS or WebLogic domain account on the server hosting Oracle ADF leverages the ADF Faces access control flaw to bypass the application's internal data authorization layer - for example, accessing data scoped to other users or application roles. No public proof-of-concept exploit exists, so this scenario currently requires attacker-developed tooling and high attack complexity, limiting practical exploitation to sophisticated, targeted threat actors with existing foothold on ADF infrastructure.
Remediation Apply the patches distributed in Oracle's June 2026 Critical Patch Update (CPU), available through My Oracle Support and documented at https://www.oracle.com/security-alerts/cspujun2026.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46772 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy