CVE-2026-35313: Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine)
Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Access Manager. While the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Access Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical authentication engine vulnerability in Oracle Access Manager (versions 12.2.1.4.0 and 14.1.2.1.0) is reachable over the network via HTTP with only a low-privilege account, requiring no victim interaction. Successful exploitation gives an attacker full control over the affected Oracle Access Manager instance, with scope change meaning downstream systems relying on it for authentication are also at risk of confidentiality breach, data tampering, and service disruption. No fix version has been published yet; HarborGuard tracks this advisory and will flag a patched rebuild the moment Oracle releases one.
HarborGuard Coverage
Detection capability for CVE-2026-35313 is available across every HarborGuard environment, with the CVE matched against customer container images within minutes of publication from upstream feeds, including custom-built images that bundle Oracle Access Manager components.
AvailableTriage is available using the CVSS 3.1 base score of 9.9 (Critical), weighted against each customer organization's compliance policy to determine urgency and route findings to the appropriate team inbox.
AvailableBecause no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle publishes a fix. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle Access Manager service over the network via HTTP; no physical or local access is needed.
- AuthenticationRequired
Any low-privilege account is sufficient; no administrative credentials are required to trigger the vulnerability.
- Victim interactionNot required
No victim action is needed; the attacker can exploit the vulnerability without involving another user.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.
Blast Radius
- Attacker gains full control of the Oracle Access Manager instance, including the ability to read all stored authentication tokens, session data, and user credentials.
- Attacker can modify or delete identity and access policy data, potentially granting unauthorized access to protected applications.
- The Authentication Engine service can be crashed or rendered unavailable, blocking legitimate users from authenticating across dependent systems.
- Because the CVSS scope changes, other products that rely on Oracle Access Manager for authentication decisions are also exposed to the same confidentiality, integrity, and availability impacts.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-35313 is active and matched against all customer images on every ingest cycle. Because Oracle has not yet published a fix for affected versions 12.2.1.4.0 and 14.1.2.1.0, no patched rebuild is available at this time. HarborGuard will generate a patched-image rebuild automatically the moment an upstream fix ships; customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads without needing to intervene. In the interim, recommended compensating controls include applying strict network-policy rules to limit HTTP access to the Oracle Access Manager service to authorized internal clients only, enabling egress filtering on any container running affected versions to prevent lateral movement in the event of compromise, and reviewing whether the low-privilege accounts with HTTP access to the service can be further restricted by IP allowlist or short-lived token issuance.
- Oracle Corporation / Oracle Access Manager12.2.1.4.0 · 14.1.2.1.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H