Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Oracle confirms easily exploitable unauthenticated network attack on Security Framework yielding full takeover, with scope change to downstream Fusion Middleware components justifying S:C and C/I/A:H.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Complete takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by unauthenticated remote attackers via crafted HTTP requests to the Security Framework component, with CVSS 10.0 reflecting a scope change that lets the compromise extend beyond WebCenter into adjacent Fusion Middleware products. No public exploit identified at time of analysis, but the combination of network attack vector, low complexity, no privileges, no user interaction, and Oracle's own 'easily exploitable' wording makes this a top-priority patching event. Vendor-released patch is available via the Oracle Critical Patch Update of June 2026 (CPUJUN2026).
Technical ContextAI
Oracle WebCenter Portal is a Java EE-based enterprise portal platform within the Oracle Fusion Middleware stack, used to build intranets, extranets, and composite application UIs that aggregate content, social collaboration, and identity-aware services. The flaw lives in the Security Framework subcomponent, which brokers authentication, authorization, session, and identity propagation between WebCenter and downstream Fusion Middleware services (WebLogic, IDM, content repositories), explaining the CVSS scope change (S:C) - a compromise of the security broker invalidates trust assumptions in components beyond WebCenter itself. CPE coverage (cpe:2.3:a:oracle_corporation:oracle_webcenter_portal:*) and Oracle's advisory confirm the two affected branches: 12.2.1.4.0 (the long-lived 12c line) and 14.1.2.0.0 (the current 14c line). No CWE was assigned by NVD/Oracle, which is typical for Oracle CPU entries; the 'takeover' language combined with Security Framework placement is consistent with authentication bypass or deserialization/SSRF-class flaws historically seen in this stack, but the exact root cause class cannot be confirmed from public data.
RemediationAI
Apply the Oracle Critical Patch Update of June 2026 (CPUJUN2026) to Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 immediately - this is the vendor-released patch and is the only fully effective fix; refer to https://www.oracle.com/security-alerts/cspujun2026.html for exact patch bundle identifiers and prerequisite Fusion Middleware platform patches. Until the CPU is deployed, compensating controls should include removing direct internet exposure of WebCenter Portal endpoints by placing them behind an authenticating reverse proxy or VPN (trade-off: breaks anonymous/public portal use cases), restricting HTTP/HTTPS access to the WebCenter managed servers via network ACLs or WAF rules that block unauthenticated requests to Security Framework URIs such as /webcenter, /rest, and /rss endpoints (trade-off: may break legitimate federation or REST integrations), and increasing logging on the WebCenter managed servers and front-end load balancers to detect anomalous unauthenticated request patterns. Do not rely on these mitigations as a substitute for the CPU - the scope change means compensating controls at the WebCenter layer may not protect downstream Fusion Middleware components that trust WebCenter identity context.
More in Oracle Webcenter Portal
View allUnauthenticated remote takeover of Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0 is possible over HTTP via
Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 (Fusion Middleware, Runtime Tools component) allow
Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows an authenticated low-privileged attacker to
Account/portal takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged remote attacker to
Takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged remote attacker over HTT
Account takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged attacker with HTTP network
Privilege escalation to full takeover in Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 allows a low-privileged authe
Privilege escalation and full takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privi
Remote unauthenticated takeover of Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 is possible via the Security Framew
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37339