Skip to main content

Oracle Access Manager EUVDEUVD-2026-37394

| CVE-2026-35261 MEDIUM
Improper Authentication (CWE-287)
2026-06-16 oracle
6.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible HTTP endpoint requires no credentials or interaction; limited data read/write impact with no availability effect and no scope change to downstream systems.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 17, 2026 - 00:13 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

AnalysisAI

Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modification without credentials. Affected deployments running versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Access Manager within Oracle Fusion Middleware are exposed via HTTP on the network, with no user interaction required. The vendor-tagged classification of 'Authentication Bypass' in a component explicitly responsible for authentication processing makes this particularly sensitive given OAM's role as a centralized enterprise SSO and policy enforcement gateway; no public exploit or CISA KEV listing is confirmed at time of analysis.

Technical ContextAI

Oracle Access Manager (OAM) is an enterprise-grade identity and access management platform within Oracle Fusion Middleware, providing centralized authentication, single sign-on (SSO), federation, and policy enforcement for downstream applications. The vulnerable component is the Authentication Engine - the core subsystem responsible for processing incoming authentication requests over HTTP. The vendor-applied tag 'Authentication Bypass' and the PR:N CVSS metric together indicate that the flaw permits attackers to interact with or influence authentication logic without presenting valid credentials. No CWE is assigned by the reporter, which limits root-cause classification; however, the 'Authentication Bypass' tag suggests a logic flaw, insufficient validation, or improper session handling within the authentication pipeline rather than a memory-corruption class vulnerability. Affected CPE: cpe:2.3:a:oracle_corporation:oracle_access_manager:*:*:*:*:*:*:*:* covering versions 12.2.1.4.0 and 14.1.2.1.0.

RemediationAI

Apply the patches issued in Oracle's Critical Patch Update (CPU) for June 2026, available at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses both affected versions 12.2.1.4.0 and 14.1.2.1.0. The exact patched version numbers are not independently confirmed beyond the advisory reference - organizations should consult the CPU documentation for the specific patch set identifiers. Where immediate patching is not feasible, compensating controls should include restricting HTTP access to Oracle Access Manager administrative and authentication endpoints at the network perimeter (firewall or WAF rules) to only trusted internal IP ranges, preventing unauthenticated external network access to the Authentication Engine. Implementing enhanced logging and anomaly detection on authentication requests may help detect exploitation attempts while patching is scheduled. Note that network restriction may disrupt SSO flows for legitimate external users if OAM is deployed for internet-facing authentication - scope access controls carefully.

Share

EUVD-2026-37394 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy