CVE-2026-46845: Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework)
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is an authentication bypass (or equivalent unauthenticated remote compromise) vulnerability in the Security Framework component of Oracle WebCenter Portal, affecting versions 12.2.1.4.0 and 14.1.2.0.0. An attacker reachable over HTTPS needs no credentials and no help from a victim to exploit it. Successful exploitation results in full takeover of the Oracle WebCenter Portal instance, giving the attacker read, write, and denial-of-service capability over the system. No fix version has been published by Oracle; HarborGuard is tracking the advisory for patch availability.
HarborGuard Coverage
Detection of CVE-2026-46845 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Oracle WebCenter Portal components.
AvailableTriage is available with a CVSS 3.1 score of 9.8 (Critical), surfaced alongside each customer organization's compliance policy weighting to determine breach-of-threshold alerting and routing to the appropriate team inbox within that environment.
AvailableBecause no upstream fix version has been published for this CVE, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle publishes a corrected release. In the interim, compensating-control guidance (network-policy isolation, egress filtering, and WAF rule application) is available within the HarborGuard advisory detail for affected images.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle WebCenter Portal service over the network via HTTPS; internet or intranet exposure to the service is sufficient to attempt exploitation.
- AuthenticationNot required
No account or credentials of any kind are needed; the vulnerability is exploitable by a completely anonymous attacker.
- Victim interactionNot required
The attacker does not need to trick or wait for any user action; exploitation is fully attacker-driven.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of the target environment beyond network access.
Blast Radius
- The attacker gains full read access to all data stored in or accessible through the portal, including session tokens, user records, and any connected content repositories.
- The attacker can write or modify any portal content, configuration, or persisted data, enabling defacement, data manipulation, or privilege escalation within connected systems.
- The attacker can crash or render the Oracle WebCenter Portal service unavailable, disrupting all users and dependent workflows.
- Because the CVSS descriptor indicates full system takeover, the attacker can install persistent backdoors or pivot to adjacent systems reachable from the portal host.
How HarborGuard Handles This
Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46845, the platform monitors the Oracle advisory on every ingest cycle and will surface a patched-image rebuild automatically as soon as an upstream fix ships. Until then, HarborGuard flags all images containing affected versions (12.2.1.4.0 and 14.1.2.0.0) as Critical across connected registries and pipelines. Teams are encouraged to apply compensating controls where feasible: network-policy rules that restrict HTTPS access to the portal to known-good source ranges, WAF rules targeting the Security Framework attack surface, and feature-flag or access-control gating at the load-balancer layer. When a fix version is released, customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads, with typical median time from CVE patch publication to merged PR running around 90 minutes for Critical-severity issues in auto-remediation-enabled environments.
- Oracle Corporation / Oracle WebCenter Portal12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H