Severity by source
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
Local vector with high complexity and high privileges confirmed by description; confidentiality high due to full ADF data exposure; integrity low for partial write; no availability impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Faces). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Development Framework (ADF) accessible data as well as unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N).
AnalysisAI
Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 expose a local privilege-abuse vulnerability in the ADF Faces component that allows a high-privileged attacker with infrastructure-level logon to bypass access controls and exfiltrate all ADF-accessible data. The CVSS vector (AV:L/AC:H/PR:H) confines exploitation to actors who already possess elevated local system access, making this a post-compromise lateral escalation risk rather than an initial entry point. No public exploit exists and this CVE is not listed in the CISA KEV catalog; however, the 'Authentication Bypass' tag suggests the flaw undermines role-based or session-level access separation within ADF Faces despite the attacker already holding high privileges.
Technical ContextAI
Oracle Application Development Framework (ADF) is an Oracle-proprietary Java EE development platform, part of Oracle Fusion Middleware, used to build enterprise web applications. ADF Faces is the JavaServer Faces (JSF)-based UI component framework that renders views and manages user-session state within ADF applications. The affected CPE (cpe:2.3:a:oracle_corporation:oracle_application_development_framework_(adf)) covers the two Long-Term Support releases: 12.2.1.4.0 (WebLogic 12c era) and 14.1.2.0.0 (current JDK 17/21 stream). No CWE is formally assigned by Oracle, but the 'Authentication Bypass' intelligence tag indicates the root cause class is likely an access control flaw (CWE-284 or CWE-287 family) within ADF Faces - potentially improper enforcement of data visibility boundaries or session token handling at the component layer. The local attack vector (AV:L) confirms exploitation occurs on the host or VM where ADF/WebLogic executes, not over a network interface.
RemediationAI
Apply the patches distributed in Oracle's June 2026 Critical Patch Update (CPU), available through My Oracle Support and documented at https://www.oracle.com/security-alerts/cspujun2026.html. Oracle CPU patches must be applied through the standard OPatch or WebLogic Smart Update mechanism; exact patch IDs should be retrieved from the CPU advisory matrix for the affected version (12.2.1.4.0 or 14.1.2.0.0). No independently confirmed patched release version number beyond the June 2026 CPU is available in the current intelligence. If immediate patching is not possible, restrict OS-level and WebLogic domain administrative access to the ADF infrastructure to the minimum required personnel, enforcing least-privilege via OS access controls and WebLogic security roles. Auditing local logon events and ADF Security policy changes can serve as a detective compensating control. Disabling unused ADF Faces data-bound components or enforcing stricter JAZN/ADF Security authorization policies may reduce the exploitable surface, though these mitigations have application-specific compatibility trade-offs that require testing.
Privileged takeover of Oracle Application Development Framework (ADF) is possible in Fusion Middleware versions 12.2.1.4
Cross-site scripting or authentication bypass in Oracle Application Development Framework (ADF) Security Framework compo
Local confidentiality compromise in Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0 ex
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37461