CVE-2026-46778: Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle)
Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via RMI to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 10.0
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical remote code execution vulnerability affects the Client Bundle component of Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0), part of Oracle Fusion Middleware. An unauthenticated attacker with network access can reach the service over RMI (Remote Method Invocation, a Java inter-process communication protocol) and exploit it without any credentials or victim interaction. Successful exploitation results in a full takeover of the affected product, with impact spilling into adjacent systems due to a scope change in the CVSS rating. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix.
HarborGuard Coverage
Detection for CVE-2026-46778 is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD advisory feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built images that bundle Oracle WebCenter Enterprise Capture or its Client Bundle artifacts.
AvailableTriage is available with the full CVSS 3.1 score of 10.0 (Critical) applied automatically to any matched image, weighted against each customer organization's compliance policy to determine urgency and routing. Findings are directed to the appropriate team inbox within the customer org based on image ownership and policy configuration.
AvailableNo fix version has been published by Oracle for this CVE; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention as soon as a fix version becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle WebCenter Enterprise Capture service over the network via the RMI protocol; internet or internal network exposure is sufficient.
- AuthenticationNot required
No credentials of any kind are required; the vulnerability is exploitable by a completely unauthenticated attacker.
- Victim interactionNot required
No user action or social engineering is needed; the attacker operates entirely against the exposed service.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and repeatable with no dependency on race conditions, specific memory layout, or other variable environmental factors.
Blast Radius
- Reads all data accessible to the Oracle WebCenter Enterprise Capture process, including captured documents, metadata, and stored credentials.
- Modifies or destroys persisted capture workflows, document repositories, and configuration data.
- Crashes or fully disables the Oracle WebCenter Enterprise Capture service, halting document ingestion pipelines.
- Due to scope change, compromises additional products and services that share the same host or trust the Capture service, extending attacker control beyond the initial target.
How HarborGuard Handles This
Available on HarborGuard: because no Oracle-published fix exists for CVE-2026-46778 at this time, the platform monitors the advisory on every ingest cycle and will automatically surface a patched-image rebuild the moment Oracle publishes a corrected version. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression-test run and a PR opened against affected workloads, with no manual intervention required. In the meantime, HarborGuard flags all images containing Oracle WebCenter Enterprise Capture 12.2.1.4.0 or 14.1.2.0.0 as Critical findings. Where compliance policy permits, recommended compensating controls include network-policy rules that restrict inbound RMI port access to trusted internal hosts only, egress filtering to limit lateral movement if the service is compromised, and disabling or isolating the Client Bundle component on any externally reachable node until a patch is available.
- Oracle Corporation / Oracle WebCenter Enterprise Capture12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H