Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-delivered via HTTP with no auth required; mandatory victim interaction (UI:R) and scope change (S:C) reflect client-side injection with cross-component impact; no availability impact applies.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Development Framework (ADF), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data as well as unauthorized read access to a subset of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
AnalysisAI
Cross-site scripting or authentication bypass in Oracle Application Development Framework (ADF) Security Framework component allows network-based unauthenticated attackers to compromise versions 12.2.1.4.0 and 14.1.2.0.0 via HTTP when a victim user interacts with a malicious payload. Successful exploitation results in unauthorized read access to a subset of ADF data and unauthorized modification of ADF-accessible data, with a confirmed scope change indicating downstream impact on additional Oracle Fusion Middleware products. No public exploit has been identified at time of analysis, and no CISA KEV listing exists.
Technical ContextAI
Oracle Application Development Framework (ADF) is a Java EE-based framework within Oracle Fusion Middleware, used to build enterprise web applications. The affected component is the Security Framework, which governs authentication and authorization within ADF applications. The CPE string (cpe:2.3:a:oracle_corporation:oracle_application_development_framework_(adf)) confirms the vulnerability exists in Oracle Corporation's own ADF product, not a third-party dependency. The CVSS vector pattern - AV:N, AC:L, PR:N, UI:R, S:C, C:L, I:L, A:N - is the canonical fingerprint for a client-side injection vulnerability such as reflected XSS or CSRF, consistent with the 'Authentication Bypass' tag. The scope change (S:C) indicates that the Security Framework component, once compromised, can propagate impact to other Fusion Middleware components or integrated applications beyond ADF itself. No CWE was assigned by Oracle, which limits precise root-cause classification, but the tag metadata and CVSS breakdown align most closely with CWE-79 (Improper Neutralization of Input During Web Page Generation) or CWE-352 (Cross-Site Request Forgery).
RemediationAI
Apply Oracle's Critical Patch Update (CPU) for June 2026, available via the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses CVE-2026-46770 in Oracle ADF versions 12.2.1.4.0 and 14.1.2.0.0. The exact patched version numbers are not independently confirmed from the provided data beyond the CPU reference - consult Oracle My Oracle Support for the precise patch ID and updated version strings before deployment. As a compensating control where immediate patching is not feasible, restrict external network access to ADF Security Framework endpoints at the perimeter (WAF or network ACL), particularly filtering HTTP requests targeting ADF authentication endpoints; note this may disrupt legitimate user workflows and does not eliminate the risk. Additionally, deploy a Web Application Firewall (WAF) with XSS/injection rulesets to detect crafted payloads, accepting the trade-off of potential false positives on complex ADF UI interactions. User awareness measures (anti-phishing training) reduce the human-interaction prerequisite being met, but are not a technical control.
Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4
Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnera
Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 ex
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37459