CVE-2026-46802: Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework)
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical vulnerability in the Security Framework component of Oracle WebCenter Portal (versions 12.2.1.4.0 and 14.1.2.0.0) allows a low-privileged attacker to reach the portal over HTTP and fully compromise it. No authentication beyond a basic user account is required, and the attack scope extends beyond the portal itself to other products in the environment. Successful exploitation gives the attacker complete control over confidentiality, integrity, and availability of the portal and potentially adjacent systems. No upstream fix version has been published; HarborGuard is tracking the advisory and will make a patched rebuild available as soon as Oracle ships one.
HarborGuard Coverage
Detection for CVE-2026-46802 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and build pipelines, including custom-built images that layer Oracle WebCenter Portal components.
AvailableHarborGuard is capable of scoring this CVE at its CVSS 3.1 base score of 9.9 (Critical) and weighting it against each environment's compliance policy to determine urgency and routing. Triage alerts are routable to the appropriate team inbox within each customer organization based on image ownership and policy configuration.
AvailableBecause no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle WebCenter Portal service over the network via HTTP; no local or physical access is needed.
- AuthenticationRequired
Any valid low-privilege account is sufficient; administrative credentials are not required.
- Victim interactionNot required
No action from another user or administrator is needed to trigger the vulnerability.
- Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory-layout dependencies, or special environmental factors are required.
Blast Radius
- A successful attacker reads all data accessible within Oracle WebCenter Portal, including stored user sessions, portal content, and any credentials or tokens held by the application.
- The attacker can modify or delete portal content, configuration, and persisted application data.
- The attacker can crash or deny availability of the Oracle WebCenter Portal service entirely.
- Because the CVSS scope is changed, the attacker can pivot to compromise other products and services in the same environment that trust or integrate with the portal.
How HarborGuard Handles This
Available on HarborGuard: detection for this CVE is active across connected environments and will flag any image running Oracle WebCenter Portal 12.2.1.4.0 or 14.1.2.0.0. Because Oracle has not published a fix version as of the CVE publication date, no patched rebuild is currently available. HarborGuard monitors the Oracle advisory on every ingest cycle and will make a patched-image rebuild available immediately upon upstream publication; for customers with auto-remediation enabled, the full rebuild, regression-test, and PR flow will trigger automatically at that point. In the interim, compensating controls worth considering include network-policy rules that restrict HTTP access to the portal to known, authorized source ranges; egress filtering to limit the blast radius of any scope-change exploitation; and, where feasible, disabling or isolating Security Framework features until a patch is available.
- Oracle Corporation / Oracle WebCenter Portal12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H