Skip to main content

Oracle Access Manager EUVDEUVD-2026-37329

| CVE-2026-46812 MEDIUM
Improper Access Control (CWE-284)
2026-06-16 oracle
6.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Consistent with vendor-provided vector: network-exploitable without credentials, user interaction required, scope change reflects SSO propagation; low C/I impacts with no availability component.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:26 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

AnalysisAI

Remote exploitation of Oracle Access Manager's Authentication Engine allows unauthenticated network attackers - contingent on user interaction - to achieve limited confidentiality and integrity compromise, with scope change propagating impact to additional Fusion Middleware products. Versions 12.2.1.4.0 and 14.1.2.1.0 are confirmed affected per Oracle's June 2026 Critical Patch Update. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Attacker identifies internet-facing OAM login endpoint
Delivery
Crafts malicious HTTP URL targeting Authentication Engine parameter
Exploit
Delivers URL to OAM user via phishing or social engineering
Install
Victim clicks link and interacts with authentication flow
C2
Payload executes within authentication context
Execute
Unauthorized read/modify access on OAM data achieved
Impact
Scope change propagates impact to downstream SSO-protected applications

Vulnerability AssessmentAI

Exploitation Exploitation requires that a person other than the attacker actively interacts with a specially crafted HTTP request - for example, clicking a malicious URL or being redirected through an attacker-controlled page that initiates a login flow against the OAM Authentication Engine. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.1 (Medium) accurately captures the constrained but real-world exploitability of this flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting an organization's Oracle Access Manager deployment crafts a malicious HTTP URL that abuses the Authentication Engine component - likely injecting payload into a login-flow parameter - and delivers it to an internal user via a phishing email or a compromised web page. When the victim clicks the link and the authentication interaction is triggered, the attacker's payload executes, reading a subset of OAM-accessible data and, due to the scope change, potentially manipulating session state or data in downstream applications protected by OAM's SSO. …
Remediation Apply the patches distributed in Oracle's Critical Patch Update for June 2026, referenced at https://www.oracle.com/security-alerts/cspujun2026.html, for the installed version (12.2.1.4.0 or 14.1.2.1.0). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37329 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy