How is CVE-2026-46800 exploited?

Network reachability (required): The attacker must reach the WebCenter Sites HTTP service over the network; no local or physical access is required. Authentication (not-required): No credentials of any kind are needed; the vulnerability is exploitable by an entirely unauthenticated attacker. Victim interaction (not-required): The attacker does not need to trick or involve any user; exploitation is entirely attacker-driven. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites apply.

What is the impact of CVE-2026-46800?

A successful attacker reads all data stored in and accessible through WebCenter Sites, including content, configuration, and any integrated credentials. The attacker can modify or destroy persisted content, site configuration, and data in connected backend systems. The attacker can crash or render the WebCenter Sites service unavailable, disrupting web content delivery. Because the CVSS scope is changed, compromise extends beyond WebCenter Sites itself and can affect other products and services running in the same environment.

Back to search

CRITICALCVE-2026-46800Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46800: Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites)

Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. While the vulnerability is in Oracle WebCenter Sites, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

CVSS v3.1: 10.0
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A critical unauthenticated remote takeover vulnerability exists in Oracle WebCenter Sites (versions 12.2.1.4.0 and 14.1.2.0.0), a component of Oracle Fusion Middleware. The flaw is reachable over the network via HTTP and requires no credentials or user interaction to exploit. Successful exploitation gives an attacker full control of the WebCenter Sites instance, with impacts to confidentiality, integrity, and availability that extend beyond the directly targeted product (scope change). HarborGuard is tracking the advisory for patch availability, as no fix version has been published by Oracle at this time.

HarborGuard Coverage

Detection

Detection capability is available across all HarborGuard environments: the CVE is ingested from upstream feeds within minutes of publication and matched against every customer image in connected registries and CI/CD pipelines, including internally built images that bundle WebCenter Sites components.

Available

Triage

HarborGuard is capable of scoring this finding at its full CVSS 3.1 severity of 10.0 (Critical) and weighting it against each environment's compliance policy to determine priority; routing to the appropriate team inbox within each customer organization is handled automatically based on configured ownership rules.

Available

Patch

Because Oracle has not published a fix version for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, compensating controls such as network-policy isolation of WebCenter Sites pods, egress filtering, and WAF rule deployment can be surfaced as recommendations within the HarborGuard console.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WebCenter Sites HTTP service over the network; no local or physical access is required.
AuthenticationNot required
No credentials of any kind are needed; the vulnerability is exploitable by an entirely unauthenticated attacker.
Victim interactionNot required
The attacker does not need to trick or involve any user; exploitation is entirely attacker-driven.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites apply.

Blast Radius

A successful attacker reads all data stored in and accessible through WebCenter Sites, including content, configuration, and any integrated credentials.
The attacker can modify or destroy persisted content, site configuration, and data in connected backend systems.
The attacker can crash or render the WebCenter Sites service unavailable, disrupting web content delivery.
Because the CVSS scope is changed, compromise extends beyond WebCenter Sites itself and can affect other products and services running in the same environment.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged at Critical (CVSS 10.0) and surfaced immediately in the finding feed for any image found to carry an affected version of Oracle WebCenter Sites (12.2.1.4.0 or 14.1.2.0.0). Because Oracle has not yet published a fix, the automated rebuild-and-PR flow is not yet available; HarborGuard will re-evaluate the advisory on every ingest cycle and make a patched rebuild available the moment Oracle ships a fix, with auto-remediation customers receiving a rebuild, regression-test run, and pull request against affected workloads automatically. While no patch exists, HarborGuard can surface compensating-control recommendations including network-policy rules that restrict inbound HTTP access to WebCenter Sites pods, egress filtering to limit lateral movement after a breach, and WAF rule sets targeting known exploitation patterns for this service.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle WebCenter Sites
12.2.1.4.0 · 14.1.2.0.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified