Description
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
Published: 2026-06-16
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This issue is a case of CWE-287, an authentication failure weakness, where the Authentication Engine of Oracle Access Manager does not properly verify the identity of users, enabling an unauthenticated attacker with network access via HTTP to send requests that result in unauthorized update, insert, or delete operations on some data as well as unauthorized read access to a subset of data.

Affected Systems

The affected releases are Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0. The flaw is confined to the Authentication Engine of these versions, making only these bundles susceptible to exploitation.

Risk and Exploitability

The CVSS 3.1 base score of 6.5 signals moderate severity with confidentiality and integrity impacts, while the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is network‑based HTTP access; the attacker does not need valid credentials to target a vulnerable host.

Generated by OpenCVE AI on June 19, 2026 at 00:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle Security Patch for Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 as released through the official Oracle Security Alert.
  • Restrict HTTP access to the Access Manager application to trusted network segments or specific IP ranges using firewall rules or network ACLs.
  • Deploy a web application firewall or intrusion detection system to detect and block suspicious requests directed at the authentication endpoints.
  • Monitor application logs for unauthorized modification or read attempts and investigate any anomalies promptly.

Generated by OpenCVE AI on June 19, 2026 at 00:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP API Exploit Enables Data Modification in Oracle Access Manager

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Allows Unauthorized Data Modification and Read in Oracle Access Manager
Weaknesses CWE-284
CWE-639

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Allows Unauthorized Data Modification and Read in Oracle Access Manager
Weaknesses CWE-284
CWE-287
CWE-639
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
First Time appeared Oracle
Oracle access Manager
CPEs cpe:2.3:a:oracle:access_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:access_manager:14.1.2.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle access Manager
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}


Subscriptions

Oracle Access Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:33:01.188Z

Reserved: 2026-04-01T20:03:40.834Z

Link: CVE-2026-35261

cve-icon Vulnrichment

Updated: 2026-06-17T14:32:51.387Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:00:12Z

Weaknesses