How is CVE-2026-46809 exploited?

Network reachability (required): The attacker must be able to reach the Oracle WebCenter Sites HTTP endpoint over a network; no local or physical access is needed. Authentication (not-required): No credentials of any kind are required; the vulnerability is exploitable by any unauthenticated attacker. Victim interaction (not-required): No user action is needed; the attacker can exploit the service directly without involving any human target. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

What is the impact of CVE-2026-46809?

Reads all data stored in Oracle WebCenter Sites, including content, configuration, and any sensitive records accessible to the application. Creates, modifies, or deletes critical data across the entire Oracle WebCenter Sites data set, enabling persistent content tampering or data destruction. Because both confidentiality and integrity are fully compromised, an attacker can exfiltrate data and simultaneously alter or remove records to cover tracks or cause business disruption.

Back to search

CRITICALCVE-2026-46809Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46809: Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites)

Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Sites accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A critical unauthenticated access-control vulnerability affects Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0, reachable over HTTP from any network. The flaw requires no credentials and no user interaction, making it trivially exploitable by any attacker who can reach the service. Successful exploitation grants full read access to all data stored in the application as well as the ability to create, modify, or delete that data. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle WebCenter Sites. Any image running an affected version (12.2.1.4.0 or 14.1.2.0.0) is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) and applies each customer organization's compliance policy weighting to determine priority tier. Triage findings are routed to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle releases a corrected version. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Oracle WebCenter Sites HTTP endpoint over a network; no local or physical access is needed.
AuthenticationNot required
No credentials of any kind are required; the vulnerability is exploitable by any unauthenticated attacker.
Victim interactionNot required
No user action is needed; the attacker can exploit the service directly without involving any human target.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental setup.

Blast Radius

Reads all data stored in Oracle WebCenter Sites, including content, configuration, and any sensitive records accessible to the application.
Creates, modifies, or deletes critical data across the entire Oracle WebCenter Sites data set, enabling persistent content tampering or data destruction.
Because both confidentiality and integrity are fully compromised, an attacker can exfiltrate data and simultaneously alter or remove records to cover tracks or cause business disruption.

How HarborGuard Handles This

Available on HarborGuard: automated detection of this CVE is active against all customer images containing Oracle WebCenter Sites 12.2.1.4.0 or 14.1.2.0.0. Because Oracle has not yet published a fix version, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a corrected release appears upstream. For customers with auto-remediation enabled, the rebuild and regression run will trigger automatically at that point, with a PR opened against affected workloads. In the interim, compensating controls worth evaluating include network-policy rules that restrict inbound HTTP access to the WebCenter Sites service to known trusted sources only, egress filtering to limit what the compromised service can reach if exploitation occurs, and feature-flag or WAF-rule gating on exposed HTTP endpoints where operationally feasible.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle WebCenter Sites
12.2.1.4.0 · 14.1.2.0.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References

Oracle Advisory

Metrics

Get notified