HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46766Published Modified CNA oracle

CVE-2026-46766: Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server)

Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical unauthenticated remote compromise vulnerability affects Oracle WebCenter Content (Content Server component) versions 12.2.1.4.0 and 14.1.2.0.0. The flaw is reachable over HTTP with no authentication or user interaction required, placing any internet- or network-exposed Content Server instance at immediate risk. Successful exploitation gives an attacker full control of the affected system, including complete read, write, and denial-of-service capability. No fix version has been published by Oracle; HarborGuard tracks the advisory for patch availability and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer images, including custom-built images layering Oracle WebCenter Content. Any image carrying an affected version (12.2.1.4.0 or 14.1.2.0.0) of the Content Server component is flagged immediately.

Available
Triage

HarborGuard scores this CVE at CVSS 9.8 Critical and is capable of weighting that score against each customer environment's compliance policy to prioritize alert routing. Triage tickets are routable to the appropriate team inbox inside each customer organization based on registry, namespace, or workload tagging rules configured by that customer.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Oracle advisory and NVD record on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle publishes a corrected release. In the interim, customers with network-isolation or compensating-control policies can use HarborGuard policy gates to flag or block deployment of images containing the affected versions.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Content Server over the network via HTTP; any internet-exposed or internally network-accessible instance is in scope.

  • AuthenticationNot required

    No account or credential of any kind is needed; the attacker can send malicious requests as an anonymous, unauthenticated user.

  • Victim interactionNot required

    The attack is fully server-side and requires no action from any user or administrator of the target system.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites beyond network access.

Blast Radius

  • A successful attacker reads all content managed by the Content Server, including documents, metadata, access-control lists, and stored credentials or tokens.
  • The attacker writes or modifies persisted content, configuration, and administrative data within the Content Server repository.
  • The attacker can crash or make the Content Server process unavailable, disrupting content delivery and dependent application workflows.
  • Full system takeover means the attacker can pivot to other services reachable from the Content Server host, escalating impact beyond the initial target.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46766, the platform monitors the upstream advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a corrected version is released. Until then, customers are encouraged to use HarborGuard's policy-gate capability to block promotion or deployment of any image containing Oracle WebCenter Content 12.2.1.4.0 or 14.1.2.0.0 to internet-facing or sensitive environments. Network-policy isolation rules can be modeled and enforced through HarborGuard's compensating-control suggestions, helping restrict HTTP access to the Content Server to explicitly allow-listed sources while the fix is pending. When Oracle ships the patch, environments with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a PR opened against affected workloads without manual intervention.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle WebCenter Content
    12.2.1.4.0 · 14.1.2.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References