CVE-2026-46786: Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server)
Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). The supported version that is affected is 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.6
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical unauthenticated remote attack vulnerability exists in Oracle WebCenter Content (Content Server component, version 14.1.2.0.0). The vulnerability is reachable over the network via HTTP with no credentials required, though a victim must interact for the attack to succeed. Successful exploitation results in full takeover of the Oracle WebCenter Content instance, with impact extending beyond the directly targeted product to other systems in scope. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle WebCenter Content components. Any image running version 14.1.2.0.0 of the Content Server is flagged immediately on the next pipeline scan.
AvailableHarborGuard scores this finding at CVSS 9.6 (Critical) and applies per-environment compliance policy weighting to prioritize it appropriately within each customer org. Triage routing is available to direct the alert to the correct team inbox, with full CVSS vector detail attached for immediate review.
AvailableNo fix version has been published by Oracle at this time; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once the patch is available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle WebCenter Content service over the network via HTTP; no local or physical access is assumed.
- AuthenticationNot required
No credentials of any kind are needed; the attacker can interact with the service as an anonymous user.
- Victim interactionRequired
A person other than the attacker must take some action (such as clicking a link or visiting a crafted page) for the attack to complete.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and repeatable with no dependency on race conditions or specific environmental states.
Blast Radius
- A successful attacker reads all content managed by the Content Server, including documents, stored credentials, and session data.
- The attacker modifies or deletes persisted content, configurations, and access control records within the WebCenter Content repository.
- The Content Server process is crashed or made unavailable, disrupting document management and dependent workflows.
- Because scope changes, the attacker can pivot to compromise other products and services that trust or integrate with the affected Oracle WebCenter Content instance.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged Critical and tracked continuously against all customer images that include Oracle WebCenter Content 14.1.2.0.0. Because Oracle has not yet published a fix, no patched-image rebuild is available; however, HarborGuard re-evaluates the advisory on every ingest cycle and will trigger the rebuild-and-PR flow automatically (for customers with auto-remediation enabled) the moment Oracle ships a patch. In the interim, compensating controls worth considering include network-policy isolation to restrict HTTP access to the Content Server to known, trusted source addresses; egress filtering to limit lateral movement if a host is compromised; and feature-flag or reverse-proxy gating to reduce the surface of user-facing endpoints that could serve as the victim-interaction vector.
- Oracle Corporation / Oracle WebCenter Content14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H