Skip to main content

Oracle WebCenter Portal CVE-2026-46845

| EUVDEUVD-2026-37338 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle's description of unauthenticated HTTPS exploitation resulting in full portal takeover justifies AV:N/AC:L/PR:N/UI:N with high C/I/A impact and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:48 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote unauthenticated takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is possible via the Security Framework component, allowing attackers to fully compromise the portal over HTTPS without credentials or user interaction. Oracle rates this 9.8 CVSS (AV:N/AC:L/PR:N/UI:N) and describes exploitation as 'easily exploitable', though there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed WebCenter Portal HTTPS endpoint
Delivery
Send crafted request to Security Framework
Exploit
Bypass authentication controls
Execution
Gain administrative portal access
Persist
Exfiltrate content or modify portal pages
Impact
Pivot into Fusion Middleware backend

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reachability to the Oracle WebCenter Portal HTTPS interface of a running 12.2.1.4.0 or 14.1.2.0.0 instance with the Security Framework component active, which is the default and load-bearing component of any portal deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to this being a genuine priority issue rather than an inflated score: the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) describes unauthenticated, low-complexity network exploitation with high impact on all three CIA properties, and Oracle's own advisory text characterizes it as 'easily exploitable' resulting in 'takeover'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external attacker with only HTTPS reachability to the WebCenter Portal sends crafted requests to the Security Framework endpoint to bypass authentication or impersonate a privileged user, then leverages portal administration features to read content, plant malicious portal pages, or pivot into Fusion Middleware back-end services. Because no privileges or user interaction are required and the attack is low-complexity, mass scanning of internet-exposed WebCenter Portal instances becomes feasible once an exploit emerges, even though no public exploit identified at time of analysis exists today.
Remediation Apply the Oracle June 2026 Critical Patch Update for WebCenter Portal as documented at https://www.oracle.com/security-alerts/cspujun2026.html - patch availability is confirmed per vendor advisory though no standalone fix version is published outside the CPU bundle. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all production and non-production systems running Oracle WebCenter Portal 12.2.1.4.0 or 14.1.2.0.0; enable enhanced logging on the Security Framework component; restrict network access to the portal to essential business users only via network segmentation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46845 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy