Skip to main content

Oracle Unified Directory EUVDEUVD-2026-37292

| CVE-2026-46773 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

LDAP service is network-reachable (AV:N), Oracle calls it easily exploitable with no auth or interaction (AC:L/PR:N/UI:N), and 'takeover' implies full C:H/I:H/A:H with no scope change.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:11 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Unified Directory. Successful attacks of this vulnerability can result in takeover of Oracle Unified Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Unauthenticated LDAP-based takeover of Oracle Unified Directory affects supported versions 12.2.1.4.0 and 14.1.2.1.0 within Oracle Fusion Middleware, allowing a remote attacker with network reachability to the LDAP service to fully compromise the directory server. The flaw carries a CVSS 3.1 base score of 9.8 with high confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed OUD LDAP listener
Delivery
Send crafted LDAP request to OUD Core
Exploit
Trigger unauthenticated takeover flaw
Execution
Gain control of directory service
Persist
Read or modify identity data
Impact
Pivot into downstream applications trusting OUD

Vulnerability AssessmentAI

Exploitation The attacker needs network reachability to the OUD Core LDAP service (typically TCP/389 or TCP/636) on an instance running supported version 12.2.1.4.0 or 14.1.2.1.0; no credentials, no user interaction, and no special configuration toggle are stated by Oracle as preconditions, matching the AV:N/AC:L/PR:N/UI:N vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a high-priority issue: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N is fully unauthenticated and network-reachable, scope unchanged but with C:H/I:H/A:H amounting to a 9.8 critical score, and Oracle itself characterizes successful attacks as 'takeover' of the product. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on a network segment that can reach the OUD LDAP port sends a crafted LDAP request to the OUD Core listener and, without authenticating, triggers the flaw to take control of the directory service. From that position the attacker reads or modifies user, group, and credential data, then pivots by issuing forged authentication responses or planting attacker-controlled accounts that any application relying on OUD will trust. …
Remediation Apply the patches delivered in the Oracle Critical Patch Update of June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html for the affected branches 12.2.1.4.0 and 14.1.2.1.0; treat patch status as 'Patch available per vendor advisory' since the input does not list a specific fixed sub-version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Inventory all OUD deployments running 12.2.1.4.0 or 14.1.2.1.0; immediately restrict LDAP/LDAPS network access (ports 389/636) to authorized internal systems only via firewall rules; review LDAP audit logs for unauthorized access or modifications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37292 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy