How is CVE-2026-46844 exploited?

Network reachability (required): The attacker must reach the WebCenter Portal HTTPS endpoint over the network; no physical or local access is needed. Authentication (required): Any low-privilege account is sufficient; the attacker does not need administrative credentials, but some form of valid login is required. Victim interaction (not-required): No user action is needed; the attacker can trigger the vulnerability without involving any other person. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, special memory layouts, or environmental prerequisites are required.

What is the impact of CVE-2026-46844?

Reads all data stored in WebCenter Portal, including session tokens, user profile data, and portal content. Modifies or deletes persisted portal data, configurations, and security policy settings. Crashes or degrades the WebCenter Portal service, making it unavailable to all users. Because the scope changes, the attacker can pivot to compromise other Oracle Fusion Middleware products sharing the same environment.

Back to search

CRITICALCVE-2026-46844Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46844: Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework)

Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A critical vulnerability in the Security Framework component of Oracle WebCenter Portal (versions 12.2.1.4.0 and 14.1.2.0.0) allows a low-privileged, network-authenticated attacker to fully compromise the portal via HTTPS. Because the CVSS vector includes a scope change, successful exploitation reaches beyond WebCenter Portal itself and affects other products in the environment. A successful attack results in complete takeover: full read access, modification of data, and disruption of availability across the affected system and potentially adjacent services. HarborGuard is tracking the Oracle advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer images, including custom-built images that bundle WebCenter Portal components. Any image running an affected version (12.2.1.4.0 or 14.1.2.0.0) is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this CVE at 9.9 CRITICAL (CVSS v3.1) and surfaces it at the top of the severity queue in every affected environment. Per-environment compliance policy weighting is applied before routing the finding to the appropriate team inbox, ensuring the right engineers receive the alert without manual triage overhead.

Available

Patch

Because no upstream fix has been published yet, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. For customers with auto-remediation enabled, the rebuilt image will trigger a regression-test run and a PR opened against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WebCenter Portal HTTPS endpoint over the network; no physical or local access is needed.
AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative credentials, but some form of valid login is required.
Victim interactionNot required
No user action is needed; the attacker can trigger the vulnerability without involving any other person.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layouts, or environmental prerequisites are required.

Blast Radius

Reads all data stored in WebCenter Portal, including session tokens, user profile data, and portal content.
Modifies or deletes persisted portal data, configurations, and security policy settings.
Crashes or degrades the WebCenter Portal service, making it unavailable to all users.
Because the scope changes, the attacker can pivot to compromise other Oracle Fusion Middleware products sharing the same environment.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46844, the platform monitors the Oracle advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and PR against affected workloads the moment a fix version is released. In the interim, compensating controls are available: network policy isolation to restrict HTTPS access to WebCenter Portal to known, authorized source ranges; egress filtering to limit lateral-movement paths in the event of compromise; and feature-flag or access-control gating to reduce the pool of accounts that can reach the vulnerable Security Framework component. Each of these measures can be reviewed and actioned through the HarborGuard policy console while the environment awaits an upstream patch.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle WebCenter Portal
12.2.1.4.0 · 14.1.2.0.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified