CVE-2026-46782: Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle)
Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical-severity vulnerability affecting the Client Bundle component of Oracle WebCenter Enterprise Capture (part of Oracle Fusion Middleware) allows a low-privileged attacker to compromise the product over HTTP without any victim interaction. The flaw carries a scope change, meaning successful exploitation can impact systems beyond WebCenter Enterprise Capture itself, and results in full takeover, including complete read, write, and availability control. No fix versions have been published; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment Oracle releases one.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from Oracle and NVD advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle WebCenter Enterprise Capture components at versions 12.2.1.4.0 or 14.1.2.0.0.
AvailableHarborGuard is capable of scoring matched findings at the published CVSS 3.1 score of 9.9 (Critical), applying per-environment compliance policy weighting, and routing the alert to the appropriate team inbox within each customer organization.
AvailableBecause no upstream fix version exists, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle publishes a corrected release. In the interim, customers with network-policy controls or segmentation rules can use HarborGuard's compensating-control suggestions to restrict HTTP access to affected service endpoints.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WebCenter Enterprise Capture service over the network via HTTP; no local or physical access is needed.
- AuthenticationRequired
Any low-privilege account is sufficient; no administrative or elevated credentials are required to trigger the vulnerability.
- Victim interactionNot required
No user action is needed; the attacker can carry out the attack entirely without involving another person.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race timing, or memory-layout knowledge.
Blast Radius
- A successful attacker reads all data accessible to the WebCenter Enterprise Capture service, including captured documents, stored credentials, and session tokens.
- The attacker can modify or delete persisted data managed by the Client Bundle component, corrupting document capture workflows and stored records.
- The attacker can crash or render the WebCenter Enterprise Capture service unavailable, halting document ingestion pipelines.
- Because the CVSS scope is changed, additional products sharing infrastructure or trust relationships with WebCenter Enterprise Capture are reachable from the same exploit session.
How HarborGuard Handles This
Available on HarborGuard: matching against this CVE is active for all customer registries and CI pipelines as of the advisory publication date. Because Oracle has not yet published a fix, the standard rebuild-and-PR flow is not available yet; however, HarborGuard will generate a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads as soon as Oracle releases a corrected version. In the meantime, HarborGuard surfaces compensating-control recommendations for each matched environment, including applying Kubernetes NetworkPolicy rules to restrict inbound HTTP access to WebCenter Enterprise Capture pods, enabling egress filtering to limit lateral reach if the service is compromised, and tagging affected images in the registry with a hold status so they cannot be promoted to production without an explicit policy exception. The advisory is re-evaluated on every ingest cycle, so no manual monitoring is required.
- Oracle Corporation / Oracle WebCenter Enterprise Capture12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H