Description
Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via RMI to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A critical flaw exists in the Client Bundle component of Oracle WebCenter Enterprise Capture, where an unauthenticated attacker can exploit the remote method invocation (RMI) interface. Because the RMI service fails to enforce proper authentication and authorization (CWE‑306), the vulnerability allows complete compromise of the application. Successful exploitation grants the attacker full control, enabling arbitrary code execution and the ability to read, modify, or delete data while disrupting services. The flaw also carries a scope change, meaning that compromise of Oracle WebCenter Enterprise Capture may potentially affect other Oracle Fusion Middleware components deployed in the same environment.

Affected Systems

Oracle WebCenter Enterprise Capture versions 12.2.1.4.0 and 14.1.2.0.0 are affected. These editions are part of Oracle Fusion Middleware and are typically deployed in on‑premises or cloud environments that host Oracle WebCenter Enterprise Capture.

Risk and Exploitability

The CVSS 3.1 base score of 10.0 denotes a complete compromise of confidentiality, integrity, and availability. The EPSS score of less than 1% indicates a very low probability of a real‑world exploit at the time of assessment, yet the severity remains critical. The vulnerability is not listed in the CISA KEV catalog. The likely attack path requires only network access to the RMI port; no user interaction or privileged credentials are needed.

Generated by OpenCVE AI on June 19, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Oracle patch that addresses CVE‑2026‑46778 for the Client Bundle component.
  • If a patch is not yet available, block or disable the RMI service and restrict inbound traffic to the RMI port using firewall rules.
  • Segregate the application from untrusted networks by placing it behind a properly segmented firewall and implementing least‑privilege network access controls.

Generated by OpenCVE AI on June 19, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Exploit in Oracle WebCenter Enterprise Capture Client Bundle Over RMI

Fri, 19 Jun 2026 03:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via RMI in Oracle WebCenter Enterprise Capture
Weaknesses CWE-284
CWE-287

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via RMI in Oracle WebCenter Enterprise Capture
Weaknesses CWE-284
CWE-287

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via RMI to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Enterprise Capture
CPEs cpe:2.3:a:oracle:webcenter_enterprise_capture:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_enterprise_capture:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Enterprise Capture
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Enterprise Capture
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:33:36.881Z

Reserved: 2026-05-18T15:55:10.297Z

Link: CVE-2026-46778

cve-icon Vulnrichment

Updated: 2026-06-17T15:22:32.417Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:52Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function