Skip to main content

Oracle Virtual Directory EUVDEUVD-2026-37438

| CVE-2026-35312 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

LDAP is network-reachable (AV:N), Oracle describes exploitation as easy and unauthenticated with no user interaction (AC:L/PR:N/UI:N), and full takeover implies C:H/I:H/A:H within OVD's scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:40 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Virtual Directory product of Oracle Fusion Middleware (component: Virtual Directory Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Virtual Directory. Successful attacks of this vulnerability can result in takeover of Oracle Virtual Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote unauthenticated takeover of Oracle Virtual Directory 12.2.1.4.0 and 14.1.2.0.0 is possible via crafted LDAP traffic, yielding full confidentiality, integrity, and availability impact (CVSS 9.8). The flaw lives in the Virtual Directory Server component of Oracle Fusion Middleware and is described by Oracle as easily exploitable over the network with no authentication or user interaction. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

Oracle Virtual Directory (OVD) is an LDAP virtualization layer in Oracle Fusion Middleware that proxies and aggregates identity data from multiple back-end directories (Active Directory, OID, databases) into a single LDAP-accessible view, commonly fronting downstream applications such as Oracle Access Manager and SOA components. The vulnerable component is identified by Oracle as the Virtual Directory Server, the daemon that terminates LDAP/LDAPS connections and parses BER/ASN.1-encoded LDAP PDUs before dispatching them to adapter plug-ins. No CWE was assigned by Oracle, but the combination of LDAP attack surface, pre-authentication reachability, and 'takeover' impact is characteristic of memory-corruption or deserialization/injection flaws in protocol parsing or bind-handling code paths (CWE-20/CWE-502/CWE-94 family). The single CPE provided (cpe:2.3:a:oracle_corporation:oracle_virtual_directory) narrows the affected surface to OVD itself rather than the broader Fusion Middleware stack.

RemediationAI

Apply the patches shipped in the Oracle Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html for Oracle Virtual Directory 12.2.1.4.0 and 14.1.2.0.0; exact patched build numbers should be taken from that advisory (no specific fix version is included in the input data, so treat 'patch available per vendor advisory' as the current status). Until the CPU patch can be staged through change control, restrict network reachability to the OVD LDAP/LDAPS listeners (typically TCP 389 and 636) so that only trusted identity-tier hosts and downstream Fusion Middleware components can connect, ideally enforced at a firewall or service mesh rather than only at the OVD ACL layer; this preserves OVD function for legitimate consumers but breaks any directory clients that were connecting from broader network segments. If OVD is exposed beyond the internal identity tier, terminate that exposure (or front it with an LDAP-aware proxy that drops anonymous binds and unusual operations) and monitor the OVD and OS logs for unexpected bind, search, or extended-operation traffic from non-allowlisted sources. Do not rely on disabling anonymous bind alone as a mitigation, since the CVSS vector indicates PR:N exploitation that does not require authenticated context.

Share

EUVD-2026-37438 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy