Description
Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via RMI to compromise Oracle Unified Directory. Successful attacks of this vulnerability can result in takeover of Oracle Unified Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker with network access to the RMI interface can exploit a flaw in Oracle Unified Directory, allowing the attacker to takeover the directory service. The vulnerability is classified as a high‑severity remote code execution with CVSS 3.1 base score of 9.8, indicating large confidentiality, integrity and availability impact. Attacker privileges can be escalated to full control of the application and its data.

Affected Systems

The affected product is Oracle Unified Directory from Oracle Corporation. Versions 12.2.1.4.0 and 14.1.2.1.0 are impacted. No other versions are mentioned as affected in the CNA data.

Risk and Exploitability

The risk is high due to the CVSS score of 9.8, but the EPSS score is under 1%, suggesting a low probability that the vulnerability is actively exploited at present. The vulnerability is not listed in the CISA KEV catalog. An attacker would need only network connectivity to the RMI port and no prior authentication to successfully exploit the flaw, meaning the vulnerability is likely to be leveraged remotely.

Generated by OpenCVE AI on June 17, 2026 at 20:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle Unified Directory security patch released for version 12.2.1.5.0 or later (or 14.1.2.2.0 or later) as documented in the Oracle security alert for June 2026.
  • Configure your firewall to block inbound RMI traffic to the Oracle Unified Directory server unless required for business operations.
  • If patching cannot be performed immediately, temporarily disable the RMI interface or restrict access to the RMI port to trusted hosts only.

Generated by OpenCVE AI on June 17, 2026 at 20:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via RMI to compromise Oracle Unified Directory. Successful attacks of this vulnerability can result in takeover of Oracle Unified Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle unified Directory
CPEs cpe:2.3:a:oracle:unified_directory:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:unified_directory:14.1.2.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle unified Directory
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Unified Directory
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:34:13.168Z

Reserved: 2026-05-18T15:55:10.296Z

Link: CVE-2026-46774

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:30:05Z

Weaknesses

No weakness.