Description
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle WebCenter Portal is vulnerable through its Security Framework component, permitting an attacker who can reach HTTPS services to gain unauthorized control over the entire portal. The flaw exposes the portal to complete takeover, impacting confidentiality, integrity, and availability. The vulnerability is categorized as an improper access control and authentication weakness that allows remote code execution for an unauthenticated attacker.

Affected Systems

Affected versions are Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0, part of Oracle Fusion Middleware. Any installation of these releases that exposes HTTPS endpoints to the network is susceptible.

Risk and Exploitability

The CVSS 3.1 base score of 9.8 indicates critical severity, and the vector shows network-based low complexity with no authentication or user interaction required. The EPSS score of less than 1% suggests low current exploitation probability, but the vulnerability is listed as not in the CISA KEV catalog. Nonetheless, given the potential for system takeover, the risk remains high and the vulnerability is highly exploitable if an attacker can reach the portal over HTTPS.

Generated by OpenCVE AI on June 17, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 as released by Oracle.
  • Restrict HTTPS access to the portal from trusted network segments only, blocking public or untrusted networks via firewall rules.
  • Segregate the portal environment to isolate it from other critical infrastructure, and monitor for suspicious activity on HTTPS ports.

Generated by OpenCVE AI on June 17, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Portal
CPEs cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Portal
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Webcenter Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:32:17.437Z

Reserved: 2026-05-18T15:55:10.306Z

Link: CVE-2026-46845

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T01:15:16Z

Weaknesses

No weakness.