Description
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Development Framework (ADF), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data as well as unauthorized read access to a subset of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-06-16
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability in the Oracle Application Development Framework Security Framework permits an unauthenticated attacker with HTTP network access to perform unauthorized update, insert, or delete operations on data accessible to ADF. The flaw also allows reading of restricted data subsets. Attack requires human interaction from another user, so it is not a purely automated remote code execution but still enables significant confidentiality and integrity violations. The weakness is a classic example of improper access control, undermining data protection.

Affected Systems

The affected components are Oracle Application Development Framework versions 12.2.1.4.0 and 14.1.2.0.0, part of Oracle Fusion Middleware. These are deployed in enterprise environments and may be exposed to external networks. Affected users include Oracle ADF administrators and any application that relies on the ADF security framework.

Risk and Exploitability

The vulnerability scores a CVSS v3.1 Base Score of 6.1, indicating moderate severity. The EPSS score is below 1%, suggesting low current exploit probability, and the issue is not listed in the CISA KEV catalog. However, the flaw allows unauthorized data manipulation with network access and could affect additional products due to scope change. The likely attack vector is over HTTP, requiring an unauthenticated attacker who can also convince another party to assist. Given the moderate score and low exploit likelihood, the risk is considered moderate but warrants prompt patching.

Generated by OpenCVE AI on June 17, 2026 at 18:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle ADF patch for versions 12.2.1.4.0 and 14.1.2.0.0.
  • Restrict network access to the ADF components using firewall rules so that only trusted hosts can reach the HTTP endpoints.
  • Verify that authentication and authorization controls are properly enforced and that no data can be modified or read without appropriate privileges.
  • Monitor application events.

Generated by OpenCVE AI on June 17, 2026 at 18:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Development Framework (ADF), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Development Framework (ADF) accessible data as well as unauthorized read access to a subset of Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle application Development Framework
CPEs cpe:2.3:a:oracle:application_development_framework:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_development_framework:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle application Development Framework
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Application Development Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:34:41.885Z

Reserved: 2026-05-18T15:55:10.296Z

Link: CVE-2026-46770

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T03:30:02Z

Weaknesses

No weakness.