Description
Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Content accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N).
Published: 2026-06-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vulnerability in Oracle WebCenter Content 14.1.2.0.0 allows an attacker who can reach the server over HTTP to create, delete or modify critical data without authenticating. The flaw is a cross‑site request forgery weakness that bypasses proper authorization checks. The CVE description explicitly states that successful attacks require human interaction from a person other than the attacker, indicating that the attacker relies on a victim clicking a malicious request. This can compromise the confidentiality and integrity of all content accessible through the application. The only outcome cited is unauthorized data modification; no denial‑of‑service effect is mentioned.

Affected Systems

Oracle WebCenter Content by Oracle Corporation, version 14.1.2.0.0. No other vendors or product versions are listed.

Risk and Exploitability

The CVSS 3.1 base score of 9.3 reflects high confidentiality and integrity impacts. The EPSS score is below 1 %, indicating a very low current exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The vulnerability can be triggered over a normal HTTP connection; this is inferred as the likely attack vector because the description only notes network access as a prerequisite and does not specify the transport protocol. No privileged access or local execution is required, and no public exploits have been reported.

Generated by OpenCVE AI on June 19, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Oracle security updates for WebCenter Content to address the authentication bypass vulnerability.
  • Restrict HTTP(S) access to the WebCenter Content server to trusted IP ranges or enforce VPN usage.
  • Implement CSRF protection, such as token validation or SameSite cookie attributes, to mitigate the cross‑site request forgery flaw.

Generated by OpenCVE AI on June 19, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated CSRF Leading to Data Modification in Oracle WebCenter Content

Thu, 18 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Data Modification in Oracle WebCenter Content
Weaknesses CWE-284
CWE-287

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Data Modification in Oracle WebCenter Content
Weaknesses CWE-284
CWE-287
CWE-352
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Content accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N).
First Time appeared Oracle
Oracle webcenter Content
CPEs cpe:2.3:a:oracle:webcenter_content:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Content
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}


Subscriptions

Oracle Webcenter Content
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-19T03:55:53.227Z

Reserved: 2026-05-18T15:55:10.298Z

Link: CVE-2026-46785

cve-icon Vulnrichment

Updated: 2026-06-17T14:39:35.882Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:30:17Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)