Skip to main content

Oracle Unified Directory EUVDEUVD-2026-37294

| CVE-2026-46776 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.6
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
vuln.today AI
8.6 HIGH

LDAP listener is network-reachable with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); description specifies partial read, full write, and partial DoS impact (C:L/I:H/A:L) within OUD only (S:U).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:10 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Unified Directory. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Unified Directory accessible data as well as unauthorized read access to a subset of Oracle Unified Directory accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Unified Directory. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L).

AnalysisAI

Unauthenticated LDAP-based compromise of Oracle Unified Directory 12.2.1.4.0 and 14.1.2.1.0 allows remote attackers to create, delete, or modify critical directory data, read a subset of directory data, and trigger a partial denial of service. The flaw resides in the OUD Core component and was disclosed in Oracle's June 2026 Critical Patch Update with a CVSS 3.1 base score of 8.6; no public exploit identified at time of analysis and the issue is not in CISA KEV.

Technical ContextAI

Oracle Unified Directory (OUD) is Oracle Fusion Middleware's all-in-one Java-based LDAP v3 directory server, providing storage, proxy, virtualization, and synchronization services and frequently used as an identity store for Oracle Access Manager, Oracle Identity Governance, and downstream Fusion Middleware stacks. The vulnerable component is OUD Core, which handles LDAP protocol parsing and access decisions, and the network-reachable LDAP/LDAPS listeners (typically TCP 1389/1636 or 389/636) are the exposed surface. Oracle does not publish CWE classifications in CPU advisories, but the combination of unauthenticated network exploitation against the LDAP listener and high-integrity write impact is consistent with an authentication/authorization bypass or improper access control class flaw (CWE-285/CWE-287) in the directory server's request handling.

RemediationAI

Apply the Oracle Critical Patch Update of June 2026 for Oracle Fusion Middleware as documented at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle CPUs ship the patched bundle patch for each supported OUD release (12.2.1.4.0 and 14.1.2.1.0), so install the corresponding bundle patch listed in that advisory - exact patch numbers are published in the CPU patch availability table and should be taken from there rather than inferred. Until patched, restrict network reachability of the LDAP (389/1389) and LDAPS (636/1636) listeners to known administrative and application clients via host firewalls or network ACLs, terminate LDAPS at a reverse proxy that can enforce source-IP restrictions, and increase audit logging on bind, add, modify, and delete operations to detect anomalous directory writes; note that aggressive network restriction will break any application that depends on OUD for authentication, so coordinate with identity-consuming services before applying. Disabling the anonymous bind capability does not by itself mitigate this issue because the flaw allows unauthenticated compromise via LDAP regardless of bind policy.

Share

EUVD-2026-37294 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy