Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Consistent with vendor-provided vector: network-exploitable without credentials, user interaction required, scope change reflects SSO propagation; low C/I impacts with no availability component.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
AnalysisAI
Remote exploitation of Oracle Access Manager's Authentication Engine allows unauthenticated network attackers - contingent on user interaction - to achieve limited confidentiality and integrity compromise, with scope change propagating impact to additional Fusion Middleware products. Versions 12.2.1.4.0 and 14.1.2.1.0 are confirmed affected per Oracle's June 2026 Critical Patch Update. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a person other than the attacker actively interacts with a specially crafted HTTP request - for example, clicking a malicious URL or being redirected through an attacker-controlled page that initiates a login flow against the OAM Authentication Engine. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.1 (Medium) accurately captures the constrained but real-world exploitability of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting an organization's Oracle Access Manager deployment crafts a malicious HTTP URL that abuses the Authentication Engine component - likely injecting payload into a login-flow parameter - and delivers it to an internal user via a phishing email or a compromised web page. When the victim clicks the link and the authentication interaction is triggered, the attacker's payload executes, reading a subset of OAM-accessible data and, due to the scope change, potentially manipulating session state or data in downstream applications protected by OAM's SSO. … |
| Remediation | Apply the patches distributed in Oracle's Critical Patch Update for June 2026, referenced at https://www.oracle.com/security-alerts/cspujun2026.html, for the installed version (12.2.1.4.0 or 14.1.2.1.0). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Access Manager
View allPrivilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote atta
Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plug
Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modi
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37329