Skip to main content

Oracle WebCenter Portal EUVDEUVD-2026-37320

| CVE-2026-46802 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

HTTP-reachable Security Framework flaw exploitable by any low-privileged portal user with no UI, and Oracle confirms scope change with full CIA impact across adjacent Fusion Middleware products.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:56 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged attacker with HTTP network access to fully compromise the Security Framework component and pivot into adjacent products via a scope change. The flaw carries a CVSS 3.1 base score of 9.9 with high impact across confidentiality, integrity, and availability, and no public exploit identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update, but no CISA KEV listing or EPSS data was provided in the input.

Technical ContextAI

The vulnerability resides in the Security Framework component of Oracle WebCenter Portal, the enterprise portal layer built on Oracle Fusion Middleware that handles authentication, authorization, and identity propagation for portal applications and integrated services. CPE data (cpe:2.3:a:oracle_corporation:oracle_webcenter_portal) confirms the affected platform is the Oracle WebCenter Portal product family rather than other Fusion Middleware components. While the CWE is not specified in the input, the combination of low-privilege precondition, scope change (S:C), and full CIA impact is characteristic of broken authorization or privilege-escalation flaws in the security/identity layer that allow an authenticated user to escape their assigned role and act on behalf of, or across, other trust boundaries inside the Fusion Middleware stack.

RemediationAI

Apply the patches from the Oracle Critical Patch Update advisory at https://www.oracle.com/security-alerts/cspujun2026.html (June 2026 CPU) for Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0; exact post-patch build identifiers are not enumerated in the input and should be taken directly from the Oracle CPU patch matrix. Until patching, restrict HTTP access to the WebCenter Portal endpoints to trusted networks via a reverse proxy or WAF, tighten self-registration and federation policies so that low-privileged accounts cannot be obtained easily by external parties, and monitor portal authentication and security-framework audit logs for anomalous privilege use or cross-application requests - note that locking down self-registration will block legitimate onboarding flows, and proxy-level restrictions may break federated SSO partners, so coordinate with identity and business owners before enforcing.

Share

EUVD-2026-37320 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy