Oracle Access Manager
Monthly
Remote exploitation of Oracle Access Manager's Authentication Engine allows unauthenticated network attackers - contingent on user interaction - to achieve limited confidentiality and integrity compromise, with scope change propagating impact to additional Fusion Middleware products. Versions 12.2.1.4.0 and 14.1.2.1.0 are confirmed affected per Oracle's June 2026 Critical Patch Update. The scope change (S:C) is particularly notable because OAM functions as an SSO gateway, meaning even limited manipulation during authentication flows can cascade to downstream applications sharing that identity fabric. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.
Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plugin component over HTTP, allowing attackers to alter or read subsets of OAM data and trigger partial denial of service. The flaw carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N) and is rated easily exploitable by Oracle. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Privilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the identity broker via the Authentication Engine component, with a CVSS 9.9 score reflecting a scope-changing impact on downstream protected applications. No public exploit identified at time of analysis, but Oracle's June 2026 Critical Patch Update flags it as easily exploitable over HTTP, making it a high-priority patch for any environment using OAM for SSO/federation.
Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modification without credentials. Affected deployments running versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Access Manager within Oracle Fusion Middleware are exposed via HTTP on the network, with no user interaction required. The vendor-tagged classification of 'Authentication Bypass' in a component explicitly responsible for authentication processing makes this particularly sensitive given OAM's role as a centralized enterprise SSO and policy enforcement gateway; no public exploit or CISA KEV listing is confirmed at time of analysis.
Remote exploitation of Oracle Access Manager's Authentication Engine allows unauthenticated network attackers - contingent on user interaction - to achieve limited confidentiality and integrity compromise, with scope change propagating impact to additional Fusion Middleware products. Versions 12.2.1.4.0 and 14.1.2.1.0 are confirmed affected per Oracle's June 2026 Critical Patch Update. The scope change (S:C) is particularly notable because OAM functions as an SSO gateway, meaning even limited manipulation during authentication flows can cascade to downstream applications sharing that identity fabric. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.
Remote unauthenticated compromise of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 is possible via the Web Server Plugin component over HTTP, allowing attackers to alter or read subsets of OAM data and trigger partial denial of service. The flaw carries a CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N) and is rated easily exploitable by Oracle. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Privilege escalation and takeover of Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 allows a low-privileged remote attacker to fully compromise the identity broker via the Authentication Engine component, with a CVSS 9.9 score reflecting a scope-changing impact on downstream protected applications. No public exploit identified at time of analysis, but Oracle's June 2026 Critical Patch Update flags it as easily exploitable over HTTP, making it a high-priority patch for any environment using OAM for SSO/federation.
Unauthenticated network exploitation of Oracle Access Manager's Authentication Engine enables partial data read and modification without credentials. Affected deployments running versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Access Manager within Oracle Fusion Middleware are exposed via HTTP on the network, with no user interaction required. The vendor-tagged classification of 'Authentication Bypass' in a component explicitly responsible for authentication processing makes this particularly sensitive given OAM's role as a centralized enterprise SSO and policy enforcement gateway; no public exploit or CISA KEV listing is confirmed at time of analysis.