How is CVE-2026-46769 exploited?

Network reachability (required): The attacker must be able to reach the ADF HTTP endpoint over the network; local or physical access alone is not sufficient. Authentication (required): An admin or otherwise high-privileged account is needed to authenticate before the vulnerability can be triggered. Victim interaction (not-required): No user action or social engineering is needed; the attacker operates entirely on their own once authenticated. Attack complexity (info): Exploitation is reliable and condition-free, with no race conditions or special memory-layout requirements to satisfy.

What is the impact of CVE-2026-46769?

A successful attacker reads all data accessible to the ADF application, including stored credentials, session tokens, and application configuration. The attacker can write or overwrite application data, configuration files, and any persistent state the ADF instance manages. The attacker can crash or render the ADF service fully unavailable, disrupting any workflows or downstream systems that depend on it. The combination of high confidentiality, integrity, and availability impact means the attacker achieves effective takeover of the ADF instance and everything it hosts.

Back to search

HIGHCVE-2026-46769Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46769: Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Shared Components)

Vulnerability in the Oracle Application Development Framework (ADF) product of Oracle Fusion Middleware (component: ADF Shared Components). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Application Development Framework (ADF). Successful attacks of this vulnerability can result in takeover of Oracle Application Development Framework (ADF). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A full-takeover vulnerability affects the ADF Shared Components of Oracle Application Development Framework (ADF) versions 12.2.1.4.0 and 14.1.2.0.0, part of Oracle Fusion Middleware. An attacker with an admin-level account can reach the vulnerable component over HTTP from the network and exploit it without any victim interaction. Successful exploitation gives the attacker complete control over the ADF instance, including full read, write, and denial-of-service capabilities. No fix version has been published yet; HarborGuard tracks the Oracle advisory and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer images, including custom-built ADF-derived images, in registries and CI/CD pipelines.

Available

Triage

HarborGuard scores this finding at CVSS 7.2 HIGH and weights it against each customer organization's compliance policy to determine ticket priority and routing, ensuring it lands in the right team's inbox without manual triage overhead.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild automatically available the moment Oracle ships a corrected release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the ADF HTTP endpoint over the network; local or physical access alone is not sufficient.
AuthenticationRequired
An admin or otherwise high-privileged account is needed to authenticate before the vulnerability can be triggered.
Victim interactionNot required
No user action or social engineering is needed; the attacker operates entirely on their own once authenticated.
Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions or special memory-layout requirements to satisfy.

Blast Radius

A successful attacker reads all data accessible to the ADF application, including stored credentials, session tokens, and application configuration.
The attacker can write or overwrite application data, configuration files, and any persistent state the ADF instance manages.
The attacker can crash or render the ADF service fully unavailable, disrupting any workflows or downstream systems that depend on it.
The combination of high confidentiality, integrity, and availability impact means the attacker achieves effective takeover of the ADF instance and everything it hosts.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46769 is active and will flag any image running Oracle ADF 12.2.1.4.0 or 14.1.2.0.0 across customer registries and pipelines. Because Oracle has not yet published a patched release, HarborGuard monitors the advisory on every ingest cycle and will make a rebuilt image available immediately upon upstream fix publication. For customers with auto-remediation enabled, that rebuild will automatically trigger a regression-test run and open a PR against affected workloads. In the interim, compensating controls worth considering include isolating ADF instances behind a network policy that restricts HTTP access to trusted source CIDRs only, applying strict egress filtering to limit lateral movement if an admin account is compromised, and auditing admin account grants to reduce the pool of credentials an attacker could leverage.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle Application Development Framework (ADF)
12.2.1.4.0 · 14.1.2.0.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified