CVE-2026-46838: Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework)
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical authentication-partial-bypass and privilege-escalation vulnerability exists in the Security Framework component of Oracle WebCenter Portal (versions 12.2.1.4.0 and 14.1.2.0.0). The flaw is reachable over the network via HTTPS and requires only a low-privileged account, with no user interaction needed. Successful exploitation gives an attacker full control over Oracle WebCenter Portal and can cascade into compromise of additional products in the same environment. No upstream fix has been published yet; HarborGuard is tracking the advisory and will surface a patched-image rebuild the moment Oracle releases one.
HarborGuard Coverage
Detection capability for CVE-2026-46838 is available across all HarborGuard environments, with ingestion from upstream NVD and Oracle advisory feeds occurring within minutes of publication. Matching runs automatically against images in customer registries and CI/CD pipelines, including custom-built images derived from Oracle WebCenter Portal base layers.
AvailableHarborGuard scores this CVE at CVSS 9.9 (Critical) and weighs findings against each customer organization's compliance policy to determine severity routing. Alerts are directed to the appropriate team inbox within each customer environment based on configured escalation rules for critical-severity issues.
AvailableBecause no upstream fix version has been published, HarborGuard re-evaluates the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle ships a corrected release. In the interim, compensating controls such as network-policy isolation limiting HTTPS access to WebCenter Portal and egress filtering can be surfaced through HarborGuard's policy recommendation workflow.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle WebCenter Portal service over the network via HTTPS; no local or physical access is needed.
- AuthenticationRequired
Any valid low-privilege account is sufficient; no administrative or elevated credentials are required to trigger the vulnerability.
- Victim interactionNot required
No action from a logged-in user or administrator is needed; the attacker can exploit the flaw entirely on their own.
- Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions or special environmental configuration required to succeed.
Blast Radius
- Reads all confidential content stored in WebCenter Portal, including documents, pages, and user session data.
- Modifies or deletes portal content, configurations, and persisted user data.
- Crashes or degrades the WebCenter Portal service, making it unavailable to users.
- Compromises additional products sharing the same Fusion Middleware environment due to scope change, extending the attacker's reach beyond the initial target.
How HarborGuard Handles This
Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46838, the platform monitors the Oracle security advisory on every ingest cycle and will automatically initiate a patched-image rebuild for affected image layers (12.2.1.4.0 and 14.1.2.0.0) the moment an upstream patch is released. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads, with median time from upstream publication to merged patch PR around 90 minutes for critical-severity issues. While no patch is available, HarborGuard's policy recommendation workflow can surface compensating controls including network-policy rules that restrict HTTPS access to WebCenter Portal to authorized source ranges, egress filtering to limit lateral movement if the service is compromised, and feature-flag or access-control configurations to reduce the attack surface exposed to low-privileged accounts.
- Oracle Corporation / Oracle WebCenter Portal12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H