Skip to main content

Oracle WebCenter Portal EUVDEUVD-2026-37336

| CVE-2026-46838 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable HTTPS endpoint with low complexity, requires a low-privilege portal account (PR:L), no user interaction, and Oracle explicitly calls out scope change with full takeover impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:49 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Account/portal takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker to compromise the product over HTTPS with low attack complexity, and because the scope changes the impact extends beyond WebCenter Portal itself to additional integrated Fusion Middleware components. The flaw, disclosed in Oracle's June 2026 Critical Patch Update, carries a CVSS 3.1 base score of 9.9 with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

Oracle WebCenter Portal is a Java EE-based enterprise portal in the Oracle Fusion Middleware stack used to build collaborative intranets, extranets, and composite applications, typically deployed on WebLogic Server and tightly integrated with WebCenter Content, Identity Management, and back-end Oracle databases. The vulnerable component is the Security Framework, which mediates authentication, session handling, and authorization decisions for portal users; weaknesses in that layer (CWE not assigned by Oracle, but consistent with broken access control or authentication flaws) typically allow an authenticated low-privilege user to escalate privileges or perform actions reserved for portal administrators. The CPE cpe:2.3:a:oracle_corporation:oracle_webcenter_portal covers both confirmed branches, and the scope-change indicator implies the Security Framework can issue trust decisions that are honored by downstream Fusion Middleware components, explaining why successful exploitation can pivot beyond the portal itself.

RemediationAI

Apply the Oracle Critical Patch Update from June 2026 referenced at https://www.oracle.com/security-alerts/cspujun2026.html to both affected branches (12.2.1.4.0 and 14.1.2.0.0); Oracle CPUs are cumulative, so install the latest bundle patch for your branch rather than picking individual fixes. If patching must be deferred, restrict network reach to the WebCenter Portal HTTPS endpoints to trusted management networks via firewall or reverse-proxy ACLs, tighten provisioning so the low-privilege account population is minimized and disable or expire dormant portal accounts, and increase monitoring on the Security Framework audit logs and WebLogic access logs for privilege-escalation patterns - each of these reduces exposure but does not close the underlying flaw and may block legitimate self-service portal use. Patch status: vendor-released patch available per Oracle CPU June 2026; exact bundle patch identifier should be taken from the Oracle advisory matrix for your branch.

Share

EUVD-2026-37336 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy