CVE-2026-46767: Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Composer)
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Composer). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical vulnerability exists in the Composer component of Oracle WebCenter Portal (versions 12.2.1.4.0 and 14.1.2.0.0), a web portal product in the Oracle Fusion Middleware suite. The flaw is reachable over HTTP from the network and requires only a low-privilege account, with no victim interaction needed. Successful exploitation gives an attacker full takeover of Oracle WebCenter Portal and can spill over to compromise additional products in the same environment. HarborGuard is tracking the advisory for patch availability, as no fix version has been published upstream yet.
HarborGuard Coverage
Detection of CVE-2026-46767 is available across every HarborGuard environment: the CVE is ingested from Oracle and upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from Oracle Fusion Middleware base layers.
AvailableTriage is available with the full CVSS 3.1 score of 9.9 (Critical) applied automatically, weighted further by any per-environment compliance policy configured inside the customer org, and routed to the appropriate team inbox based on ownership rules defined by the customer.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle WebCenter Portal service over the network via HTTP; no physical or local access is required.
- AuthenticationRequired
A low-privilege account is sufficient; any valid user credential on the portal grants the access level needed to trigger the vulnerability.
- Victim interactionNot required
The attacker does not need to trick any user into taking an action; exploitation is fully attacker-driven.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental prerequisites.
Blast Radius
- Reads all confidential content stored in Oracle WebCenter Portal, including pages, portlets, user profile data, and any credentials or tokens cached by the Composer component.
- Modifies or destroys portal configuration, persisted page layouts, and stored content, enabling persistent backdoors or defacement.
- Crashes or degrades the WebCenter Portal service, making the portal unavailable to all users.
- Because the CVSS scope is changed, a successful attacker gains a foothold to compromise other products and services that share the same Fusion Middleware environment.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged at Critical (9.9) and monitored continuously against all images in connected customer registries and pipelines. Because Oracle has not yet published a fix version, HarborGuard rechecks the advisory on every ingest cycle. The moment a patched release is available upstream, a rebuilt image becomes available for affected environments, and customers with auto-remediation enabled will receive a regression-tested rebuild and an automated PR opened against affected workloads. In the interim, compensating controls worth evaluating include network-policy rules that restrict HTTP access to the WebCenter Portal service to known, authorized source CIDRs; egress filtering to limit lateral movement if the portal host is compromised; and, where operationally feasible, disabling or isolating the Composer component until a vendor patch is available.
- Oracle Corporation / Oracle WebCenter Portal12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H