Skip to main content

Oracle Access Manager

4 CVEs product

Monthly

CVE-2026-46812 MEDIUM This Month

Remote exploitation of Oracle Access Manager's Authentication Engine allows unauthenticated network attackers - contingent on user interaction - to achieve limited confidentiality and integrity compromise, with scope change propagating impact to additional Fusion Middleware products. Versions 12.2.1.4.0 and 14.1.2.1.0 are confirmed affected per Oracle's June 2026 Critical Patch Update. The scope change (S:C) is particularly notable because OAM functions as an SSO gateway, meaning even limited manipulation during authentication flows can cascade to downstream applications sharing that identity fabric. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Oracle Oracle Access Manager
NVD
CVSS 3.1
6.1
EPSS
0.3%
CVE-2026-35314 HIGH This Week

Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plugin component over HTTP, allowing attackers to alter or read subsets of OAM data and trigger partial denial of service. The flaw carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N) and is rated easily exploitable by Oracle. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Denial Of Service Oracle Oracle Access Manager Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.3%
CVE-2026-35313 CRITICAL Act Now

Privilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the identity broker via the Authentication Engine component, with a CVSS 9.9 score reflecting a scope-changing impact on downstream protected applications. No public exploit identified at time of analysis, but Oracle's June 2026 Critical Patch Update flags it as easily exploitable over HTTP, making it a high-priority patch for any environment using OAM for SSO/federation.

Oracle Oracle Access Manager Authentication Bypass
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-35261 MEDIUM This Month

Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modification without credentials. Affected deployments running versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Access Manager within Oracle Fusion Middleware are exposed via HTTP on the network, with no user interaction required. The vendor-tagged classification of 'Authentication Bypass' in a component explicitly responsible for authentication processing makes this particularly sensitive given OAM's role as a centralized enterprise SSO and policy enforcement gateway; no public exploit or CISA KEV listing is confirmed at time of analysis.

Authentication Bypass Oracle Oracle Access Manager
NVD
CVSS 3.1
6.5
EPSS
0.3%
EPSS 0% CVSS 6.1
MEDIUM This Month

Remote exploitation of Oracle Access Manager's Authentication Engine allows unauthenticated network attackers - contingent on user interaction - to achieve limited confidentiality and integrity compromise, with scope change propagating impact to additional Fusion Middleware products. Versions 12.2.1.4.0 and 14.1.2.1.0 are confirmed affected per Oracle's June 2026 Critical Patch Update. The scope change (S:C) is particularly notable because OAM functions as an SSO gateway, meaning even limited manipulation during authentication flows can cascade to downstream applications sharing that identity fabric. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

Authentication Bypass Oracle Oracle Access Manager
NVD
EPSS 0% CVSS 7.3
HIGH This Week

Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plugin component over HTTP, allowing attackers to alter or read subsets of OAM data and trigger partial denial of service. The flaw carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N) and is rated easily exploitable by Oracle. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.

Denial Of Service Oracle Oracle Access Manager +1
NVD
EPSS 0% CVSS 9.9
CRITICAL Act Now

Privilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the identity broker via the Authentication Engine component, with a CVSS 9.9 score reflecting a scope-changing impact on downstream protected applications. No public exploit identified at time of analysis, but Oracle's June 2026 Critical Patch Update flags it as easily exploitable over HTTP, making it a high-priority patch for any environment using OAM for SSO/federation.

Oracle Oracle Access Manager Authentication Bypass
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modification without credentials. Affected deployments running versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Access Manager within Oracle Fusion Middleware are exposed via HTTP on the network, with no user interaction required. The vendor-tagged classification of 'Authentication Bypass' in a component explicitly responsible for authentication processing makes this particularly sensitive given OAM's role as a centralized enterprise SSO and policy enforcement gateway; no public exploit or CISA KEV listing is confirmed at time of analysis.

Authentication Bypass Oracle Oracle Access Manager
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy