HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46797Published Modified CNA oracle

CVE-2026-46797: Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites)

Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical unauthenticated remote compromise vulnerability affects Oracle WebCenter Sites (versions 12.2.1.4.0 and 14.1.2.0.0), a component of Oracle Fusion Middleware. The flaw is reachable over the network via HTTP and requires no credentials or user interaction to trigger. Successful exploitation gives an attacker full control over the WebCenter Sites instance, including complete read, write, and availability impact. No fix versions have been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that package Oracle WebCenter Sites. Any image running an affected version (12.2.1.4.0 or 14.1.2.0.0) will be flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL (CVSS v3.1) and is capable of weighting that score against each customer organization's compliance policy to prioritize alerting. Triage routing is available to direct findings to the appropriate team inbox within each customer environment based on policy configuration.

Available
Patch

Because no upstream fix versions have been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available immediately once Oracle releases a remediated version. In the meantime, customers with auto-remediation enabled will receive compensating-control recommendations and can apply network-policy isolation at the workload level through HarborGuard's policy engine.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the WebCenter Sites service over the network via HTTP; there is no requirement for local or physical access.

  • AuthenticationNot required

    No credentials of any privilege level are needed; the vulnerability is exploitable by any unauthenticated network-accessible party.

  • Victim interactionNot required

    No user or administrator action is required to trigger the vulnerability; the attacker operates entirely on their own.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

Blast Radius

  • A successful attacker reads all data stored by the WebCenter Sites application, including content, configuration, and any credentials or session material held in the service.
  • The attacker can modify or delete persisted content, site configuration, and backend data, enabling defacement or sabotage of managed web properties.
  • The attacker can crash or render the WebCenter Sites service fully unavailable, disrupting content delivery for any sites the instance manages.
  • Full system takeover means the attacker can pivot from the WebCenter Sites host to adjacent internal services reachable from that network position.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-46797, HarborGuard continuously re-checks the Oracle advisory on every ingest cycle and will trigger an automatic patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads, with a median time from CVE publication to merged patch PR of around 90 minutes for critical-severity issues once an upstream fix is available. While awaiting the patch, HarborGuard's policy engine can surface compensating-control recommendations: network-policy isolation to restrict inbound HTTP access to WebCenter Sites workloads, egress filtering to limit lateral movement from a compromised instance, and feature-flag or deployment-freeze gates to prevent new vulnerable images from entering production. Where compliance policy permits, these controls can be applied automatically across affected environments.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle WebCenter Sites
    12.2.1.4.0 · 14.1.2.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References