Description
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Security Framework of Oracle WebCenter Portal and allows a low‑privileged attacker with network access over HTTP to compromise the application, exploiting missing authentication enforcement (CWE-284). The flaw can be exploited easily and leads to full takeover of the portal, affecting confidentiality, integrity, and availability. The CVSS 3.1 base score of 9.9 reflects a high‑severity risk with abundant impact across all security categories.

Affected Systems

Affected are Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0, delivered by Oracle Corporation as part of its Fusion Middleware suite.

Risk and Exploitability

The CVSS score of 9.9 indicates critical severity, while the EPSS score of less than 1 % suggests that exploitation is not common yet; however, the low privilege requirement and availability of network‑based HTTP access make the attack surface broad. The vulnerability is not listed in CISA's KEV catalog, so no evidence of widespread exploitation exists at present, yet the potential for scope change means other products could be affected if the portal is compromised. Attackers would likely use the exposed HTTP endpoint to push malicious code or execute privileged actions, taking over the portal and possibly other connected systems.

Generated by OpenCVE AI on June 19, 2026 at 00:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle WebCenter Portal security patch or upgrade to a version that includes the fix.
  • Restrict HTTP access to IP ranges and enforce strong authentication for all users.
  • Monitor web application logs for anomalous activity and block malicious IPs. Optionally, disable publicly exposed Security Framework endpoints if not required.

Generated by OpenCVE AI on June 19, 2026 at 00:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title Oracle WebCenter Portal Authorization Bypass Allowing Full System Compromise

Thu, 18 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution in Oracle WebCenter Portal via HTTP
Weaknesses CWE-269
CWE-285

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution in Oracle WebCenter Portal via HTTP
Weaknesses CWE-269
CWE-284
CWE-285
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Portal
CPEs cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Portal
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:25:29.257Z

Reserved: 2026-05-18T15:55:10.302Z

Link: CVE-2026-46814

cve-icon Vulnrichment

Updated: 2026-06-17T15:25:21.575Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:30:17Z

Weaknesses