How is CVE-2026-46773 exploited?

Network reachability (required): The attacker must reach the OUD LDAP listener over the network; any host with network access to the exposed port can attempt exploitation. Authentication (not-required): No credentials of any kind are needed; the vulnerability is exploitable by a completely unauthenticated attacker. Victim interaction (not-required): The attack is fully passive from the victim's perspective and requires no action from any user or administrator. Attack complexity (info): Exploitation is described as easy and condition-free, with no race conditions or environment-specific factors required to trigger the vulnerability.

What is the impact of CVE-2026-46773?

A successful attacker reads all data held in the directory, including credentials, group memberships, and any attributes stored in the LDAP tree. The attacker can write or delete directory entries, modifying access-control records, user accounts, and organizational data. The attacker can crash or hang the OUD service, denying authentication and directory lookups to all dependent applications. Because OUD Core is typically a central identity store, a takeover can cascade into unauthorized access across every application and service that trusts the directory for authentication or authorization.

Back to search

CRITICALCVE-2026-46773Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46773: Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core)

Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Unified Directory. Successful attacks of this vulnerability can result in takeover of Oracle Unified Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated remote code execution vulnerability affects Oracle Unified Directory (OUD Core) versions 12.2.1.4.0 and 14.1.2.1.0. The flaw is reachable over the network via LDAP without any credentials or user interaction, making it trivially exploitable from any host that can reach the LDAP listener. Successful exploitation results in full takeover of the Oracle Unified Directory instance, giving the attacker complete control over confidentiality, integrity, and availability. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-46773 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle OUD Core components.

Available

Triage

HarborGuard scores this CVE at CVSS 9.8 (Critical) and is capable of weighting that score against each environment's compliance policy to produce a prioritized, routed alert that lands in the right team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle ships a remediated release. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the OUD LDAP listener over the network; any host with network access to the exposed port can attempt exploitation.
AuthenticationNot required
No credentials of any kind are needed; the vulnerability is exploitable by a completely unauthenticated attacker.
Victim interactionNot required
The attack is fully passive from the victim's perspective and requires no action from any user or administrator.
Attack complexityDetail
Exploitation is described as easy and condition-free, with no race conditions or environment-specific factors required to trigger the vulnerability.

Blast Radius

A successful attacker reads all data held in the directory, including credentials, group memberships, and any attributes stored in the LDAP tree.
The attacker can write or delete directory entries, modifying access-control records, user accounts, and organizational data.
The attacker can crash or hang the OUD service, denying authentication and directory lookups to all dependent applications.
Because OUD Core is typically a central identity store, a takeover can cascade into unauthorized access across every application and service that trusts the directory for authentication or authorization.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-46773 is actively tracked against all images in customer registries and pipelines, scored at CVSS 9.8 (Critical), and surfaced immediately for triage. Because Oracle has not yet published a fix, HarborGuard cannot generate a patched-image rebuild at this time. Instead, HarborGuard re-evaluates the advisory on every ingest cycle and will trigger the rebuild-and-PR flow automatically for customers with auto-remediation enabled the moment a fix version appears upstream. While waiting for an upstream patch, consider applying network-policy controls to restrict LDAP port access to only trusted internal sources, enabling egress filtering to limit lateral movement from a compromised OUD instance, and reviewing whether the OUD listener needs to be exposed beyond a minimal set of authorized clients. These compensating controls reduce the effective attack surface without requiring a code-level fix.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle Unified Directory
12.2.1.4.0 · 14.1.2.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified