How is CVE-2026-46774 exploited?

Network reachability (required): The attacker must reach the Oracle Unified Directory service over the network via the RMI protocol; any host with network access to the exposed RMI port is a viable attacker origin. Authentication (not-required): No credentials of any kind are needed; the vulnerable RMI endpoint accepts and processes unauthenticated requests. Victim interaction (not-required): The attack is fully server-side and completes without any action from a logged-in user or administrator. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, specific memory layout, or environmental configuration is required to trigger the vulnerability.

What is the impact of CVE-2026-46774?

A successful attacker achieves full takeover of the Oracle Unified Directory instance, including execution of arbitrary code or commands in the context of the OUD process. All directory data stored in OUD (user credentials, group memberships, organizational records) is readable by the attacker. The attacker can modify or delete directory entries, corrupting identity and access data that downstream applications depend on. The OUD service can be crashed or rendered unavailable, disrupting authentication and authorization for any system that relies on it.

Back to search

CRITICALCVE-2026-46774Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46774: Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core)

Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via RMI to compromise Oracle Unified Directory. Successful attacks of this vulnerability can result in takeover of Oracle Unified Directory. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated remote code execution vulnerability affects Oracle Unified Directory (OUD Core) versions 12.2.1.4.0 and 14.1.2.1.0, reachable over the network via the RMI protocol without any credentials. The flaw requires no user interaction and carries a CVSS 3.1 score of 9.8 (Critical). Successful exploitation gives an attacker full takeover of the Oracle Unified Directory instance, including complete read, write, and availability impact. No fix version has been published by Oracle; HarborGuard is tracking the advisory and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that layer Oracle Unified Directory. Any image running an affected version (12.2.1.4.0 or 14.1.2.1.0) is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

Affected findings are triaged with the full CVSS 3.1 score of 9.8 (Critical) and weighted against each customer organization's compliance policy to determine priority and routing. Alerts are delivered to the inbox or ticketing integration configured for the relevant team within each customer environment.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle releases a corrected version. In the meantime, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations to restrict RMI port exposure for affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Oracle Unified Directory service over the network via the RMI protocol; any host with network access to the exposed RMI port is a viable attacker origin.
AuthenticationNot required
No credentials of any kind are needed; the vulnerable RMI endpoint accepts and processes unauthenticated requests.
Victim interactionNot required
The attack is fully server-side and completes without any action from a logged-in user or administrator.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, specific memory layout, or environmental configuration is required to trigger the vulnerability.

Blast Radius

A successful attacker achieves full takeover of the Oracle Unified Directory instance, including execution of arbitrary code or commands in the context of the OUD process.
All directory data stored in OUD (user credentials, group memberships, organizational records) is readable by the attacker.
The attacker can modify or delete directory entries, corrupting identity and access data that downstream applications depend on.
The OUD service can be crashed or rendered unavailable, disrupting authentication and authorization for any system that relies on it.

How HarborGuard Handles This

Available on HarborGuard: images containing Oracle Unified Directory 12.2.1.4.0 or 14.1.2.1.0 are matched against this CVE on every scan cycle, including images built internally by customer teams. Because Oracle has not yet published a fix version, no patched-image rebuild is available; HarborGuard monitors the Oracle advisory on each ingest cycle and will trigger a rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads as soon as a fix is released. While no patch is available, HarborGuard surfaces compensating-control guidance: applying Kubernetes network policies or firewall rules to restrict RMI port access to known trusted sources, enabling egress filtering to limit the blast radius of a compromised OUD instance, and flagging any workload exposing the RMI port externally as a high-priority finding requiring immediate owner review.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle Unified Directory
12.2.1.4.0 · 14.1.2.1.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified