HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-35314Published Modified CNA oracle

CVE-2026-35314: Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Web Server Plugin)

Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Web Server Plugin). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessible data as well as unauthorized read access to a subset of Oracle Access Manager accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Access Manager. CVSS 3.1 Base Score 7.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

Metrics

CVSS v3.1
7.3
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a multi-impact vulnerability in the Web Server Plugin component of Oracle Access Manager (versions 12.2.1.4.0 and 14.1.2.1.0), part of Oracle Fusion Middleware. An unauthenticated attacker with HTTP network access can reach the affected component directly, with no prior login or user interaction required. Successful exploitation allows the attacker to read a subset of accessible data, write or delete some data, and partially disrupt service availability. HarborGuard is tracking the advisory for patch availability, as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against customer images, including custom-built images that bundle Oracle Access Manager components. Any image running an affected version (12.2.1.4.0 or 14.1.2.1.0) will surface in scan results automatically.

Available
Triage

HarborGuard scores this finding at CVSS 7.3 (HIGH) and applies per-environment compliance policy weighting to adjust priority before routing the alert to the appropriate team inbox within each customer organization. No manual triage step is needed to get the finding in front of the right owner.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle ships a remediated release. In the meantime, compensating controls such as network-policy isolation of the Web Server Plugin endpoint and egress filtering can be configured while the fix is pending.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Access Manager Web Server Plugin over HTTP from the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    No credentials or session token are required; the vulnerable endpoint accepts unauthenticated requests.

  • Victim interactionNot required

    The attack is fully server-side and requires no action from any user or administrator.

  • Attack complexityDetail

    Exploit conditions are low-complexity and reliable, with no race conditions or special environmental factors needed.

Blast Radius

  • Reads a subset of data accessible to Oracle Access Manager, which may include identity attributes, session metadata, or policy data.
  • Writes, inserts, or deletes some Oracle Access Manager accessible data, enabling tampering with identity records or access policies.
  • Causes a partial denial of service against the Oracle Access Manager service, degrading authentication and authorization decisions for downstream applications.
  • Because Oracle Access Manager acts as an identity gateway, any combination of the above impacts can affect the applications and users that rely on it for authentication.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Oracle and NVD advisory feeds means any customer image containing Oracle Access Manager 12.2.1.4.0 or 14.1.2.1.0 is flagged automatically, with the finding scored at CVSS 7.3 HIGH and routed according to each customer's compliance policy. Because Oracle has not published a fix version, no patched rebuild is available yet. HarborGuard re-checks the advisory on every ingest cycle and will trigger the rebuild-and-PR flow automatically the moment upstream ships a remediated package. While awaiting the fix, customers can apply compensating controls: restrict network access to the Web Server Plugin endpoint using Kubernetes NetworkPolicy or equivalent firewall rules, apply egress filtering to limit lateral movement from the plugin process, and review access-policy configurations to limit the data surface exposed through the affected component.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Access Manager
    12.2.1.4.0 · 14.1.2.1.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
References