Skip to main content

Oracle WebCenter Portal EUVDEUVD-2026-37338

| CVE-2026-46845 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle's description of unauthenticated HTTPS exploitation resulting in full portal takeover justifies AV:N/AC:L/PR:N/UI:N with high C/I/A impact and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:48 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote unauthenticated takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is possible via the Security Framework component, allowing attackers to fully compromise the portal over HTTPS without credentials or user interaction. Oracle rates this 9.8 CVSS (AV:N/AC:L/PR:N/UI:N) and describes exploitation as 'easily exploitable', though there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

Oracle WebCenter Portal is an enterprise portal platform within the Oracle Fusion Middleware stack used for building intranet and extranet sites with collaboration, content, and social features. The flaw resides in the Security Framework component, which mediates authentication, authorization, and session handling for portal requests. Although Oracle did not publish a CWE, the combination of network attack vector, no privileges required, no user interaction, and 'takeover' impact is consistent with an authentication bypass or broken-access-control class weakness in the framework that brokers identity for portal services. The CPE cpe:2.3:a:oracle_corporation:oracle_webcenter_portal:*:*:*:*:*:*:*:* confirms the product scope is the WebCenter Portal application itself rather than an embedded third-party library.

RemediationAI

Apply the Oracle June 2026 Critical Patch Update for WebCenter Portal as documented at https://www.oracle.com/security-alerts/cspujun2026.html - patch availability is confirmed per vendor advisory though no standalone fix version is published outside the CPU bundle. Until the CPU can be deployed, restrict network reachability of the WebCenter Portal HTTPS endpoints to trusted networks via firewall or reverse proxy ACLs, place the portal behind a web application firewall with rules that monitor and rate-limit authentication and session-establishment endpoints exposed by the Security Framework, and increase monitoring of WebCenter authentication and admin-action logs for anomalous unauthenticated access; the trade-off is that network restrictions may break legitimate remote-user access and WAF rules without a known exploit signature can only provide generic protection rather than a precise virtual patch.

Share

EUVD-2026-37338 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy