Description
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle WebCenter Portal is vulnerable through its Security Framework component, permitting an attacker who can reach HTTPS services to gain unauthorized control over the entire portal. The flaw exposes the portal to complete takeover, impacting confidentiality, integrity, and availability. The vulnerability is categorized as an improper access control and authentication weakness that allows remote code execution for an unauthenticated attacker.

Affected Systems

Affected versions are Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0, part of Oracle Fusion Middleware. Any installation of these releases that exposes HTTPS endpoints to the network is susceptible.

Risk and Exploitability

The CVSS 3.1 base score of 9.8 indicates critical severity, and the vector shows network-based low complexity with no authentication or user interaction required. The EPSS score of less than 1% suggests low current exploitation probability, but the vulnerability is not listed in the CISA KEV catalog. Nonetheless, given the potential for system takeover, the risk remains high and the vulnerability is highly exploitable if an attacker can reach the portal over HTTPS.

Generated by OpenCVE AI on June 18, 2026 at 23:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for Oracle WebCenter Portal 12.2.1.4.0 and 14.1.2.0.0 as released by Oracle.
  • Restrict HTTPS access to the portal from trusted network segments only, blocking public or untrusted networks via firewall rules.
  • Segregate the portal environment to isolate it from other critical infrastructure, and monitor for suspicious activity on HTTPS ports.

Generated by OpenCVE AI on June 18, 2026 at 23:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title Oracle WebCenter Portal Unauthenticated Remote Code Execution via Improper Authorization

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Oracle WebCenter Portal Remote Code Execution via HTTPS
Weaknesses CWE-284
CWE-307

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Oracle WebCenter Portal Remote Code Execution via HTTPS
Weaknesses CWE-284
CWE-306
CWE-307
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Portal
CPEs cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_portal:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Portal
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Portal
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-23T03:55:47.144Z

Reserved: 2026-05-18T15:55:10.306Z

Link: CVE-2026-46845

cve-icon Vulnrichment

Updated: 2026-06-17T15:32:11.008Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:00:06Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function