Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
WebGate is reachable over HTTP with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); description limits impact to subset read, partial write, and partial DoS, so C:L/I:L/A:L and S:U.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Web Server Plugin). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Access Manager. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
AnalysisAI
Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plugin component over HTTP, allowing attackers to alter or read subsets of OAM data and trigger partial denial of service. The flaw carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N) and is rated easily exploitable by Oracle. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network HTTP reachability to an Oracle Access Manager Web Server Plugin (WebGate) deployment running version 12.2.1.4.0 or 14.1.2.1.0; no authentication, no user interaction, and no special non-default configuration are called out in the description (PR:N/UI:N/AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L = 7.3) describes a network-reachable, low-complexity, unauthenticated flaw with partial impact across all three CIA dimensions - a strong real-world risk profile for an internet-exposed identity component, since OAM/WebGate is typically the front door to enterprise SSO. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An external attacker enumerates an organization's SSO entry point, identifies an OAM-protected web application by its WebGate redirect, and sends crafted HTTP requests directly to the WebGate-fronted endpoint without any credentials. The requests exploit the Web Server Plugin to read, modify, or delete a subset of OAM-accessible data and to degrade the OAM service, undermining SSO availability for downstream applications. … |
| Remediation | Apply the fixes from the Oracle Critical Patch Update June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to OAM 12.2.1.4.0 and 14.1.2.1.0 deployments, including the Web Server Plugin (WebGate) binaries on every front-end HTTP server - patching only the OAM server tier is insufficient because the vulnerable component is the plugin. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 deployments and document internet exposure; immediately restrict HTTP access to OAM Web Server Plugin if externally accessible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Oracle Access Manager
View allPrivilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote atta
Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modi
Remote exploitation of Oracle Access Manager's Authentication Engine allows unauthenticated network attackers - continge
Same weakness CWE-284 – Improper Access Control
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37440