Description
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-06-16
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Oracle Access Manager permits an attacker who can reach the system over HTTP to compromise authentication mechanisms without needing to be authenticated initially. The flaw allows the attacker, with the cooperation of a third‑party user, to perform unauthorized update, insert or delete operations on data that the Access Manager exposes. The same flaw also enables unauthorized reading of a subset of the data guarded by the Access Manager. The impact is limited to confidentiality and integrity of that data set, as availability is not affected.

Affected Systems

Products affected are Oracle Access Manager version 12.2.1.4.0 and version 14.1.2.1.0, which are part of Oracle Fusion Middleware. No other vendor products are listed, but successful exploitation could influence additional systems that rely on Oracle Access Manager for authentication services.

Risk and Exploitability

The recorded CVSS 3.1 score of 6.1 indicates a moderate severity, with a small impact on confidentiality and integrity. The EPSS score of less than 1% signifies a low probability of current exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is network communication over HTTP; the attacker must have network access to the Oracle Access Manager instance and, importantly, human interaction from a user other than themselves to trigger the malicious activity. The requirement for non‑attacker involvement reduces the overall risk, but the potential to alter or view protected data remains significant.

Generated by OpenCVE AI on June 17, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the most recent Oracle patches that address this issue, or upgrade to a version of Oracle Access Manager that is not listed as affected;
  • Restrict unnecessary HTTP access to the Oracle Access Manager endpoints, using firewalls or access control lists to limit network exposure;
  • Enforce secure communication channels (HTTPS) and mandate multi‑factor authentication for all users interacting with Oracle Access Manager;
  • Regularly review audit logs for unexpected unauthenticated or suspicious requests to the Access Manager services.

Generated by OpenCVE AI on June 17, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle access Manager
CPEs cpe:2.3:a:oracle:access_manager:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:access_manager:14.1.2.1.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle access Manager
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Access Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:23:23.232Z

Reserved: 2026-05-18T15:55:10.301Z

Link: CVE-2026-46812

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T04:45:03Z

Weaknesses

No weakness.