CVE-2026-46765: Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Composer)
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Composer). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical-severity vulnerability in the Composer component of Oracle WebCenter Portal (versions 12.2.1.4.0 and 14.1.2.0.0) allows a network-accessible attacker holding any low-privilege account to fully compromise the portal. Exploitation requires no victim interaction and no elevated permissions, making it straightforward to trigger over standard HTTP. Successful exploitation gives the attacker complete control over confidentiality, integrity, and availability of the portal, with scope change meaning the blast extends to additional products in the same environment. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.
HarborGuard Coverage
Detection capability for CVE-2026-46765 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer container images, including custom-built images that package Oracle WebCenter Portal components. Any image found running affected version 12.2.1.4.0 or 14.1.2.0.0 of the Composer component is flagged immediately.
AvailableHarborGuard is capable of scoring this finding at CVSS 9.9 Critical and weighting it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on configured severity thresholds and ownership rules.
AvailableBecause no upstream fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. Where compliance policy permits, auto-remediation customers will receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the Oracle WebCenter Portal service over the network via HTTP; there is no requirement for local or physical access.
- AuthenticationRequired
Any low-privilege account on the portal is sufficient; no administrative or elevated credentials are needed.
- Victim interactionNot required
The attack completes without any action from another user or administrator on the target system.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.
Blast Radius
- Attacker reads all data stored in Oracle WebCenter Portal, including user session tokens, portal content, and any integrated data sources exposed through the Composer component.
- Attacker modifies or destroys portal content, configurations, and persisted user data, corrupting the integrity of the WebCenter environment.
- Attacker crashes or renders the portal service unavailable, causing a full denial of service for all portal users.
- Due to scope change, attacker pivots to compromise additional Oracle Fusion Middleware products sharing the same runtime environment.
How HarborGuard Handles This
Available on HarborGuard: because Oracle has not yet published a fix version for CVE-2026-46765, the platform monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment an upstream fix is released. For customers with auto-remediation enabled, that flow includes a regression-test run and a pull request opened against affected workloads with no manual steps required. In the interim, compensating controls are worth considering: network policy rules that restrict HTTP access to the WebCenter Portal Composer endpoint to known trusted source IPs, egress filtering to limit lateral movement in the event of a compromise, and feature-flag gating or disabling of the Composer component if it is not actively needed. Given the CVSS 9.9 score and scope-change impact, this advisory should be treated as highest priority for triage and compensating-control deployment until Oracle ships a patch.
- Oracle Corporation / Oracle WebCenter Portal12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H