Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-accessible HTTP endpoint requires no credentials or interaction; limited data read/write impact with no availability effect and no scope change to downstream systems.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
AnalysisAI
Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modification without credentials. Affected deployments running versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Access Manager within Oracle Fusion Middleware are exposed via HTTP on the network, with no user interaction required. The vendor-tagged classification of 'Authentication Bypass' in a component explicitly responsible for authentication processing makes this particularly sensitive given OAM's role as a centralized enterprise SSO and policy enforcement gateway; no public exploit or CISA KEV listing is confirmed at time of analysis.
Technical ContextAI
Oracle Access Manager (OAM) is an enterprise-grade identity and access management platform within Oracle Fusion Middleware, providing centralized authentication, single sign-on (SSO), federation, and policy enforcement for downstream applications. The vulnerable component is the Authentication Engine - the core subsystem responsible for processing incoming authentication requests over HTTP. The vendor-applied tag 'Authentication Bypass' and the PR:N CVSS metric together indicate that the flaw permits attackers to interact with or influence authentication logic without presenting valid credentials. No CWE is assigned by the reporter, which limits root-cause classification; however, the 'Authentication Bypass' tag suggests a logic flaw, insufficient validation, or improper session handling within the authentication pipeline rather than a memory-corruption class vulnerability. Affected CPE: cpe:2.3:a:oracle_corporation:oracle_access_manager:*:*:*:*:*:*:*:* covering versions 12.2.1.4.0 and 14.1.2.1.0.
RemediationAI
Apply the patches issued in Oracle's Critical Patch Update (CPU) for June 2026, available at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses both affected versions 12.2.1.4.0 and 14.1.2.1.0. The exact patched version numbers are not independently confirmed beyond the advisory reference - organizations should consult the CPU documentation for the specific patch set identifiers. Where immediate patching is not feasible, compensating controls should include restricting HTTP access to Oracle Access Manager administrative and authentication endpoints at the network perimeter (firewall or WAF rules) to only trusted internal IP ranges, preventing unauthenticated external network access to the Authentication Engine. Implementing enhanced logging and anomaly detection on authentication requests may help detect exploitation attempts while patching is scheduled. Note that network restriction may disrupt SSO flows for legitimate external users if OAM is deployed for internet-facing authentication - scope access controls carefully.
More in Oracle Access Manager
View allPrivilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote atta
Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plug
Remote exploitation of Oracle Access Manager's Authentication Engine allows unauthenticated network attackers - continge
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37394