Skip to main content

Oracle WebCenter Portal EUVDEUVD-2026-37321

| CVE-2026-46803 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
10.0
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Vendor description confirms unauthenticated HTTP exploitation with no user interaction, scope change to other Fusion Middleware products, and full takeover impacting confidentiality, integrity, and availability.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:55 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Unauthenticated remote takeover of Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP via a flaw in the Security Framework component, with a scope change extending impact to additional Oracle Fusion Middleware products. The maximum CVSS 3.1 score of 10.0 reflects network-reachable exploitation with no authentication or user interaction and full confidentiality, integrity, and availability loss; no public exploit identified at time of analysis, but the trivial attack profile makes this a top-priority patch.

Technical ContextAI

Oracle WebCenter Portal is an enterprise portal platform within the Oracle Fusion Middleware stack used to build intranets, extranets, and composite web applications, often integrated with WebLogic Server, Oracle Identity Management, and back-end content systems. The flaw resides in the product's Security Framework, the layer responsible for authentication, authorization, and identity propagation across portal services, meaning the very component meant to enforce trust boundaries is the one being bypassed. While Oracle did not publish a CWE, the combination of unauthenticated network exploitability with a scope change is consistent with an authentication bypass or broken access control class issue (CWE-287/CWE-862-family) that lets an external HTTP requester reach privileged portal operations and pivot into downstream Fusion Middleware components.

RemediationAI

Apply the patches delivered in the Oracle Critical Patch Update advisory of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0; Oracle CPU bundles are the only vendor-released fix path and must be staged on a non-production environment first because Fusion Middleware patching often requires OPatch, domain restarts, and revalidation of customized portal applications. Until patching is complete, restrict network exposure of the WebCenter Portal HTTP/HTTPS endpoints to trusted networks via a WAF or reverse proxy ACL, monitor portal access logs for anomalous unauthenticated requests to Security Framework endpoints, and where feasible take internet-facing portal instances offline - accepting the trade-off that legitimate external users (extranet partners, remote employees) will lose access until the CPU is applied. Do not rely on disabling individual portal features as a substitute, since the flaw is in the cross-cutting Security Framework rather than an optional module.

Share

EUVD-2026-37321 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy