Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable so AV:N, no special conditions AC:L, requires existing high-privileged ADF account so PR:H, no victim action UI:N, full takeover gives C/I/A:H.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Shared Components). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4.0 and 14.1.2.0.0, where an attacker with high privileges and HTTP network access to the ADF Shared Components can fully compromise the product. The CVSS 3.1 base score is 7.2 with high impact to confidentiality, integrity, and availability, and Oracle classifies the issue as easily exploitable once authentication is obtained. There is no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.
Technical ContextAI
Oracle ADF is a Java EE-based development framework used to build enterprise web applications within Oracle Fusion Middleware, and the flaw resides in the ADF Shared Components module which provides common runtime functionality across ADF-built applications. The CPE string cpe:2.3:a:oracle_corporation:oracle_application_development_framework_(adf) confirms the affected product family, while the affected versions span both the long-supported 12.2.1.4.0 release and the newer 14.1.2.0.0 release. No CWE has been assigned by Oracle or NVD, which is typical for Oracle Critical Patch Update entries where root-cause classification is intentionally withheld; the description's reference to a complete takeover via HTTP suggests an authenticated administrative interface or shared component endpoint that fails to enforce proper authorization or input handling.
RemediationAI
Apply the patches distributed in the Oracle Critical Security Patch Update for June 2026 referenced at https://www.oracle.com/security-alerts/cspujun2026.html - patch available per vendor advisory, with exact patched build numbers identified in the CPU matrix for the 12.2.1.4.0 and 14.1.2.0.0 release lines. Until patching is possible, reduce exposure by tightening access controls on any administrative or privileged ADF endpoints (network ACLs, reverse-proxy authentication, and WAF rules in front of Fusion Middleware front-ends), rotate and audit high-privileged ADF/Fusion Middleware accounts to shrink the pool of actors that satisfy the PR:H prerequisite, and enable detailed access logging on ADF Shared Components - the trade-off is that admin workflows may break if ACLs are scoped too narrowly, so coordinate with application owners before tightening.
Cross-site scripting or authentication bypass in Oracle Application Development Framework (ADF) Security Framework compo
Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnera
Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 ex
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37458