HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46798Published Modified CNA oracle

CVE-2026-46798: Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites)

Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. While the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical remote code execution class vulnerability affects Oracle WebCenter Sites (versions 12.2.1.4.0 and 14.1.2.0.0), a component of Oracle Fusion Middleware. The flaw is reachable over the network via HTTP with no authentication required and no user interaction needed, making it trivially exploitable by any attacker who can reach the service. Successful exploitation gives an attacker full takeover of the WebCenter Sites instance, with impacts extending beyond the directly affected product to other systems in scope. HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment Oracle publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-46798 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Oracle WebCenter Sites components. Any image in a connected registry or CI/CD pipeline running an affected version (12.2.1.4.0 or 14.1.2.0.0) is eligible for flagging automatically.

Available
Triage

Triage is available with a CVSS 3.1 score of 10.0 (Critical), surfaced alongside each customer organization's compliance policy weighting to reflect actual environmental risk. Findings are routable to the appropriate team inbox based on per-environment ownership rules configured inside HarborGuard.

Available
Patch

No fix version has been published by Oracle for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically when that fix becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle WebCenter Sites service over the network via HTTP; no local or physical access is needed.

  • AuthenticationNot required

    No account or credentials of any privilege level are required to exploit this vulnerability.

  • Victim interactionNot required

    Exploitation is fully attacker-driven and requires no action from any user of the affected system.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.

Blast Radius

  • A successful attacker reads all data stored in the WebCenter Sites instance, including content, configuration, and any credentials held in application storage.
  • A successful attacker modifies or deletes persisted content, configuration, and application data within WebCenter Sites.
  • A successful attacker crashes or renders the WebCenter Sites service unavailable, disrupting content delivery.
  • Because the CVSS scope is changed, a successful attacker pivots from WebCenter Sites to compromise additional products or services running in the same environment.

How HarborGuard Handles This

Available on HarborGuard: this CVE is ingested and matched against all customer images immediately upon advisory publication, with a CVSS 10.0 Critical severity flag routed per each organization's compliance policy. Because Oracle has not yet published a fix for affected versions 12.2.1.4.0 and 14.1.2.0.0, no patched rebuild is available upstream yet. In the interim, HarborGuard recommends applying network-policy isolation to restrict inbound HTTP access to WebCenter Sites to trusted source ranges only, enabling egress filtering to limit lateral movement if the service is compromised, and considering feature-flag or load-balancer gating to reduce the exposed attack surface. HarborGuard will re-evaluate the advisory on every ingest cycle; for customers with auto-remediation enabled, a patched rebuild, regression test run, and PR against affected workloads will be triggered automatically the moment Oracle ships a fix, with median time from fix publication to merged patch PR for Critical-severity issues around 90 minutes in auto-remediation-enabled environments.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle WebCenter Sites
    12.2.1.4.0 · 14.1.2.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References