HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46776Published Modified CNA oracle

CVE-2026-46776: Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core)

Vulnerability in the Oracle Unified Directory product of Oracle Fusion Middleware (component: OUD Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via LDAP to compromise Oracle Unified Directory. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Unified Directory accessible data as well as unauthorized read access to a subset of Oracle Unified Directory accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Unified Directory. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L).

Metrics

CVSS v3.1
8.6
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an unauthenticated network-exploitable vulnerability in the OUD Core component of Oracle Unified Directory, affecting versions 12.2.1.4.0 and 14.1.2.1.0. An attacker reachable over the network via LDAP requires no credentials and no victim interaction to exploit the flaw. Successful exploitation allows unauthorized read access to a subset of directory data, full creation, deletion, or modification of critical directory data, and a partial denial of service. No fix versions have been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-46776 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. This coverage extends to custom-built images that bundle Oracle Unified Directory, not just images pulled from upstream registries.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 base score of 8.6 (HIGH) and weighting that score against each environment's compliance policy to determine priority. Triage routing to the appropriate team inbox within a customer organization is available automatically based on those policy settings.

Available
Patch

Because no fix version has been published for CVE-2026-46776, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available as soon as upstream releases a corrected version. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Unified Directory service over the network via LDAP; the service must be exposed to the attacker's network segment.

  • AuthenticationNot required

    No credentials are needed; the vulnerability is exploitable by a completely unauthenticated attacker.

  • Victim interactionNot required

    No user or administrator action is required to trigger the vulnerability; the attacker operates entirely on their own.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or special environmental configuration.

Blast Radius

  • Reads a subset of stored Oracle Unified Directory data, which may include user attributes, group memberships, or other LDAP entries.
  • Creates, deletes, or modifies critical directory entries and all accessible directory data, enabling account manipulation or privilege escalation within systems that rely on the directory.
  • Causes a partial disruption to the Oracle Unified Directory service, degrading authentication and directory-lookup availability for dependent applications.
  • Any system that delegates authentication or authorization decisions to Oracle Unified Directory inherits the integrity impact of tampered directory data.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46776, the platform monitors the Oracle advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment a corrected version is released upstream. For customers who opt into auto-remediation, that event will trigger a full rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth evaluating include network-policy rules that restrict LDAP port access to known trusted source ranges, egress filtering to limit what a compromised directory instance can reach, and review of any applications that grant elevated trust to Oracle Unified Directory-sourced group or role attributes. HarborGuard will surface any policy violations related to this CVE as findings in the customer's compliance dashboard for as long as the advisory remains unpatched.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Unified Directory
    12.2.1.4.0 · 14.1.2.1.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
References