CVE-2026-35314 - Vulnerability Details

Description

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Web Server Plugin). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Access Manager. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Published: 2026-06-16

Score: 7.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The flaw in the Web Server Plugin of Oracle Access Manager lets an unauthenticated attacker, with only HTTP access, modify, insert, or delete protected data, read restricted information, and cause a partial denial of service. This weakness reflects improper access control, allowing unauthorized interactions with the system’s core data and functions.

Affected Systems

Oracle Corporation’s Oracle Access Manager product, specifically versions 12.2.1.4.0 and 14.1.2.1.0, is impacted by this vulnerability.

Risk and Exploitability

The CVSS 3.1 score of 7.3 indicates a high severity with moderate impact on confidentiality, integrity, and availability. However, the EPSS score is below 1% and the vulnerability is not listed in CISA’s KEV catalog, suggesting that opportunistic exploitation is unlikely. Despite this, the problem remains exploitable from any party able to send HTTP requests to the affected Access Manager instance, as authentication is not required. An attacker could craft a request to the vulnerable plugin endpoint to trigger data changes or a service interruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Access Manager

affected

Version	Status	Constraints
`12.2.1.4.0`	affected	—
`14.1.2.1.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Access Manager

95%

Version	Status	Scheme	Platform
`12.2.1.4.0`	affected	semver	—
`14.1.2.1.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑supplied security patch or upgrade Oracle Access Manager to a version that resolves the vulnerability, following the guidance in Oracle’s 2026 June alert.
Enforce network segmentation and restrict HTTP traffic to the Access Manager to trusted hosts or VPN connections, limiting exposure to unauthenticated users.
Configure application‑level logging and continuously monitor for anomalous data modification or denial‑of‑service patterns, applying strict access controls to all data operations within the Access Manager.

Generated by OpenCVE AI on June 17, 2026 at 20:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00318.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Web Server Plugin). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Access Manager. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
First Time appeared		Oracle Oracle access Manager
CPEs		cpe:2.3:a:oracle:access_manager:12.2.1.4.0:::::::* cpe:2.3:a:oracle:access_manager:14.1.2.1.0:::::::*
Vendors & Products		Oracle Oracle access Manager
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}`

Subscriptions

Oracle Access Manager

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:08.875Z

Updated: 2026-06-17T15:37:32.198Z

Reserved: 2026-04-01T20:03:40.837Z

Link: CVE-2026-35314

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T23:00:05Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object