Skip to main content

Oracle WebCenter Portal EUVDEUVD-2026-37339

| CVE-2026-46846 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
10.0
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Oracle confirms easily exploitable unauthenticated network attack on Security Framework yielding full takeover, with scope change to downstream Fusion Middleware components justifying S:C and C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:48 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Complete takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by unauthenticated remote attackers via crafted HTTP requests to the Security Framework component, with CVSS 10.0 reflecting a scope change that lets the compromise extend beyond WebCenter into adjacent Fusion Middleware products. No public exploit identified at time of analysis, but the combination of network attack vector, low complexity, no privileges, no user interaction, and Oracle's own 'easily exploitable' wording makes this a top-priority patching event. Vendor-released patch is available via the Oracle Critical Patch Update of June 2026 (CPUJUN2026).

Technical ContextAI

Oracle WebCenter Portal is a Java EE-based enterprise portal platform within the Oracle Fusion Middleware stack, used to build intranets, extranets, and composite application UIs that aggregate content, social collaboration, and identity-aware services. The flaw lives in the Security Framework subcomponent, which brokers authentication, authorization, session, and identity propagation between WebCenter and downstream Fusion Middleware services (WebLogic, IDM, content repositories), explaining the CVSS scope change (S:C) - a compromise of the security broker invalidates trust assumptions in components beyond WebCenter itself. CPE coverage (cpe:2.3:a:oracle_corporation:oracle_webcenter_portal:*) and Oracle's advisory confirm the two affected branches: 12.2.1.4.0 (the long-lived 12c line) and 14.1.2.0.0 (the current 14c line). No CWE was assigned by NVD/Oracle, which is typical for Oracle CPU entries; the 'takeover' language combined with Security Framework placement is consistent with authentication bypass or deserialization/SSRF-class flaws historically seen in this stack, but the exact root cause class cannot be confirmed from public data.

RemediationAI

Apply the Oracle Critical Patch Update of June 2026 (CPUJUN2026) to Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 immediately - this is the vendor-released patch and is the only fully effective fix; refer to https://www.oracle.com/security-alerts/cspujun2026.html for exact patch bundle identifiers and prerequisite Fusion Middleware platform patches. Until the CPU is deployed, compensating controls should include removing direct internet exposure of WebCenter Portal endpoints by placing them behind an authenticating reverse proxy or VPN (trade-off: breaks anonymous/public portal use cases), restricting HTTP/HTTPS access to the WebCenter managed servers via network ACLs or WAF rules that block unauthenticated requests to Security Framework URIs such as /webcenter, /rest, and /rss endpoints (trade-off: may break legitimate federation or REST integrations), and increasing logging on the WebCenter managed servers and front-end load balancers to detect anomalous unauthenticated request patterns. Do not rely on these mitigations as a substitute for the CPU - the scope change means compensating controls at the WebCenter layer may not protect downstream Fusion Middleware components that trust WebCenter identity context.

Share

EUVD-2026-37339 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy