CVE-2026-46814: Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework)
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical vulnerability in the Security Framework component of Oracle WebCenter Portal (versions 12.2.1.4.0 and 14.1.2.0.0) allows a low-privileged attacker to reach the service over HTTP and fully compromise the portal. No victim interaction is required, and the exploit is reliable under normal network conditions. Successful exploitation gives the attacker complete control over the portal, including read and write access to all data and the ability to crash the service, with impact extending beyond the portal itself to other products in the environment. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is matched against customer images within minutes of ingestion from upstream Oracle and NVD advisory feeds, covering both official Oracle images and any custom-built images derived from affected base layers. Scans run continuously across registries and CI pipelines, so newly pushed images are checked immediately.
AvailableHarborGuard scores this finding at CVSS 9.9 Critical and weights it against each customer organization's compliance policy to determine urgency and routing. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.
AvailableBecause no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle WebCenter Portal service over the network via HTTP; no physical or local access is needed.
- AuthenticationRequired
Any low-privilege account on the portal is sufficient; no administrative credentials are required.
- Victim interactionNot required
The attacker does not need to trick or wait for any user to take an action; exploitation proceeds entirely attacker-side.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- Reads all stored portal content, session tokens, and user account data accessible within Oracle WebCenter Portal.
- Modifies or deletes persisted portal pages, user records, and configuration data.
- Crashes the Oracle WebCenter Portal service, making it unavailable to all users.
- Compromises additional products sharing the same environment due to scope change, extending attacker reach beyond the portal itself.
How HarborGuard Handles This
Available on HarborGuard: continuous scanning against this CVE is active for all customer registries and pipelines, with findings scored at CVSS 9.9 Critical and routed according to each organization's compliance policy. Because Oracle has not yet published a fix version for affected releases 12.2.1.4.0 and 14.1.2.0.0, no patched-image rebuild is available at this time. HarborGuard re-evaluates the advisory on every ingest cycle and will trigger the rebuild-and-PR flow automatically once Oracle ships a fix, with no manual step required for customers who have auto-remediation enabled. In the interim, compensating controls worth considering include network-policy isolation to restrict HTTP access to the portal to known-good source IP ranges, egress filtering to limit lateral movement if the portal is compromised, and review of which accounts hold portal credentials to minimize the pool of valid low-privilege sessions an attacker could leverage.
- Oracle Corporation / Oracle WebCenter Portal12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H