Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
LDAP listener is network-reachable with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); description specifies partial read, full write, and partial DoS impact (C:L/I:H/A:L) within OUD only (S:U).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Unified Directory. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Unified Directory accessible data as well as unauthorized read access to a subset of Oracle Unified Directory accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Unified Directory. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L).
AnalysisAI
Unauthenticated LDAP-based compromise of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 allows remote attackers to create, delete, or modify critical directory data, read a subset of directory data, and trigger a partial denial of service. The flaw resides in the OUD Core component and was disclosed in Oracle's June 2026 Critical Patch Update with a CVSS 3.1 base score of 8.6; no public exploit identified at time of analysis and the issue is not in CISA KEV.
Technical ContextAI
Oracle Unified Directory (OUD) is Oracle Fusion Middleware's all-in-one Java-based LDAP v3 directory server, providing storage, proxy, virtualization, and synchronization services and frequently used as an identity store for Oracle Access Manager, Oracle Identity Governance, and downstream Fusion Middleware stacks. The vulnerable component is OUD Core, which handles LDAP protocol parsing and access decisions, and the network-reachable LDAP/LDAPS listeners (typically TCP 1389/1636 or 389/636) are the exposed surface. Oracle does not publish CWE classifications in CPU advisories, but the combination of unauthenticated network exploitation against the LDAP listener and high-integrity write impact is consistent with an authentication/authorization bypass or improper access control class flaw (CWE-285/CWE-287) in the directory server's request handling.
RemediationAI
Apply the Oracle Critical Patch Update of June 2026 for Oracle Fusion Middleware as documented at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle CPUs ship the patched bundle patch for each supported OUD release (12.2.1.4.0 and 14.1.2.1.0), so install the corresponding bundle patch listed in that advisory - exact patch numbers are published in the CPU patch availability table and should be taken from there rather than inferred. Until patched, restrict network reachability of the LDAP (389/1389) and LDAPS (636/1636) listeners to known administrative and application clients via host firewalls or network ACLs, terminate LDAPS at a reverse proxy that can enforce source-IP restrictions, and increase audit logging on bind, add, modify, and delete operations to detect anomalous directory writes; note that aggressive network restriction will break any application that depends on OUD for authentication, so coordinate with identity-consuming services before applying. Disabling the anonymous bind capability does not by itself mitigate this issue because the flaw allows unauthenticated compromise via LDAP regardless of bind policy.
More in Oracle Unified Directory
View allRemote takeover of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 is possible via the OUD Core component's RMI inter
Unauthenticated LDAP-based takeover of Oracle Unified Directory affects supported versions 12.2.1.4.0 and 14.1.2.1.0 wit
Same weakness CWE-284 – Improper Access Control
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37294