Description
Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: Java Business Objects). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).
Published: 2026-06-16
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the Java Business Objects component of Oracle Application Development Framework (ADF) and can be exploited only by an attacker who already has high‑privileged access to the host machine where ADF runs. Successful exploitation grants the attacker unauthorized access to critical data or, in the worst case, all data that ADF can reach. The impact is limited to confidentiality and does not affect integrity or availability.

Affected Systems

Oracle ADF versions 12.2.1.4.0 and 14.1.2.0 of Oracle Fusion Middleware are affected. Any deployment that hosts ADF and allows local high‑privilege users is potentially vulnerable.

Risk and Exploitability

The CVSS base score of 4.1 reflects a moderate risk primarily because the attack requires local high‑privileged access. The EPSS score of less than 1% indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, environments that host ADF should treat the flaw as a privilege‑escalation risk if local system access is compromised.

Generated by OpenCVE AI on June 17, 2026 at 21:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle ADF to a version that includes the fix (for example 12.2.1.4.1 or later, or the latest release).
  • If an upgrade is not immediately possible, restrict the high‑privilege accounts that can log on to the host and enforce least‑privilege for the process that runs ADF.
  • Review and strengthen all credentials used by ADF, ensuring they follow strong password policies and are rotated regularly.

Generated by OpenCVE AI on June 17, 2026 at 21:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title High‑Privilege Access in Oracle ADF Allows Unauthorized Data Access
Weaknesses CWE-284

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: Java Business Objects). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Application Development Framework (ADF) executes to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Application Development Framework (ADF) accessible data. CVSS 3.1 Base Score 4.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).
First Time appeared Oracle
Oracle application Development Framework
CPEs cpe:2.3:a:oracle:application_development_framework:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:application_development_framework:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle application Development Framework
References
Metrics cvssV3_1

{'score': 4.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

Oracle Application Development Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:34:35.667Z

Reserved: 2026-05-18T15:55:10.296Z

Link: CVE-2026-46771

cve-icon Vulnrichment

Updated: 2026-06-17T15:25:17.753Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:00:12Z

Weaknesses