Description
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Shared Components). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Oracle Application Development Framework (ADF) vulnerability described in CVE-2026-46769 is characterized as an easily exploitable flaw that permits a high-privileged attacker with network access via HTTP to compromise the ADF component and ultimately take over the framework. The CVSS 3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) indicates full confidentiality, integrity, and availability impact for the affected system.

Affected Systems

Affected systems are Oracle Application Development Framework 12.2.1.4.0 and 14.1.2.0.0, which are part of Oracle Fusion Middleware. Any deployment of these ADF versions that exposes an HTTP interface to the network is vulnerable, regardless of the underlying operating environment.

Risk and Exploitability

The risk is moderate to high because the flaw allows complete takeover once a high-privilege attacker can reach the ADF instance over HTTP. The EPSS score of less than 1 % signals a low probability of exploitation in the current threat landscape, and the vulnerability is not listed in CISA's KEV catalog. Exploitation does not require local access or physical presence; it can occur remotely through the exposed HTTP services, with the attacker needing only high-privilege credentials or a session that grants such privileges.

Generated by OpenCVE AI on June 17, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patches for ADF versions 12.2.1.4.0 and 14.1.2.0.0 as issued by Oracle.
  • Temporarily restrict or block external HTTP access to ADF servers to reduce exposure while a patch is applied.
  • Employ network segmentation to isolate ADF environments from untrusted networks and enforce strict authentication and authorization controls on ADF endpoints.

Generated by OpenCVE AI on June 17, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 05:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Remote Takeover via HTTP in Oracle ADF
Weaknesses CWE-269
CWE-284

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Shared Components). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle application Development Framework
CPEs cpe:2.3:a:oracle:application_development_framework:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_development_framework:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle application Development Framework
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Application Development Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-19T03:55:43.822Z

Reserved: 2026-05-18T15:55:10.296Z

Link: CVE-2026-46769

cve-icon Vulnrichment

Updated: 2026-06-17T15:25:19.814Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:00:12Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-284

    Improper Access Control