Skip to main content

Oracle WebCenter Enterprise Capture EUVDEUVD-2026-37296

| CVE-2026-46778 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
10.0
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

RMI is network-reachable (AV:N) with no auth (PR:N) or interaction (UI:N); Oracle confirms scope change (S:C) with full takeover yielding C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 23:09 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via RMI to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0) is possible via the Client Bundle component over RMI, allowing unauthenticated network attackers to fully compromise the product and pivot into other Fusion Middleware components due to a CVSS scope change. With a maximum 10.0 CVSS score, low attack complexity, and no privileges or user interaction required, this is a top-priority issue, though no public exploit identified at time of analysis. Oracle disclosed the issue in its June 2026 Critical Patch Update.

Technical ContextAI

Oracle WebCenter Enterprise Capture is a document imaging and capture platform within the Oracle Fusion Middleware stack used to scan, index, and route documents into enterprise content systems. The vulnerability is reachable through the Client Bundle component, which communicates with the server over Java RMI (Remote Method Invocation) - a protocol historically associated with insecure Java deserialization and remote object invocation flaws in Oracle Fusion Middleware. While the CWE is not provided, the combination of RMI exposure, unauthenticated network reach, and scope change is consistent with a deserialization-of-untrusted-data or unsafe remote method exposure pattern (CWE-502/CWE-306 class) commonly seen in Oracle WebLogic and Fusion Middleware RMI-facing services. The affected CPE is oracle_corporation:oracle_webcenter_enterprise_capture across versions 12.2.1.4.0 and 14.1.2.0.0.

RemediationAI

Patch available per vendor advisory - apply the fixes bundled in the Oracle June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) for both Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0; exact post-patch version identifiers should be taken directly from Oracle's CPU patch matrix. Until patching is complete, restrict network access to the RMI listener (commonly the WebLogic/Fusion Middleware RMI port) to trusted management networks only via firewall ACLs - note this will break legitimate Capture Client Bundle traffic from any blocked subnets and may require relocating client workstations or jump hosts. Additionally, consider disabling or constraining the Client Bundle component if it is not in active use, accepting that Capture's thick-client document ingestion workflows will stop functioning, and monitor for anomalous Java deserialization patterns or unexpected outbound connections from the Capture host as a detective control.

Share

EUVD-2026-37296 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy