HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46846Published Modified CNA oracle

CVE-2026-46846: Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework)

Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware (component: Security Framework). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical authentication bypass vulnerability exists in the Security Framework component of Oracle WebCenter Portal (versions 12.2.1.4.0 and 14.1.2.0.0). An unauthenticated attacker with HTTP access to the portal can reach the vulnerable component over the network with no credentials required and no user interaction needed. Successful exploitation results in full takeover of Oracle WebCenter Portal, including complete read, write, and availability impact across the product and potentially additional connected systems due to a scope change. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46846 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. This matching capability covers custom-built images that include Oracle WebCenter Portal components, not just official base images.

Available
Triage

Triage is available using the CVSS 3.1 score of 10.0 (Critical), with per-environment compliance policy weighting applied to prioritize alert routing. Each customer org's policy configuration determines which team inbox or ticketing integration receives the resulting finding.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention as soon as a patched base is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Oracle WebCenter Portal service over the network via HTTP; no local access or special network position is needed.

  • AuthenticationNot required

    No credentials of any privilege level are required; the vulnerability is exploitable by a completely unauthenticated attacker.

  • Victim interactionNot required

    No user action such as clicking a link or opening a file is needed to trigger exploitation.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and repeatable without depending on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

  • A successful attacker gains full read access to all data stored in or accessible through Oracle WebCenter Portal, including documents, user data, and session material.
  • The attacker can modify or delete any persisted content, configurations, and access-control rules within the portal.
  • The attacker can crash or render the portal service unavailable to all users.
  • Due to the scope change in the CVSS vector, systems and services that trust or integrate with Oracle WebCenter Portal are also at risk of compromise beyond the portal itself.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix version for CVE-2026-46846, HarborGuard continuously re-checks the upstream advisory on each ingest cycle. The moment Oracle ships a patched release, a rebuilt image at that version becomes available, and for customers who opt into auto-remediation, a regression test run and a PR opened against affected workloads follow automatically. In the interim, compensating controls worth considering include placing strict network-policy rules to restrict HTTP ingress to Oracle WebCenter Portal only from known-trusted source ranges, applying egress filtering to limit what the portal process can reach internally (to reduce scope-change risk), and disabling any non-essential integrations that rely on the portal's Security Framework component. HarborGuard will surface an updated finding and trigger the patched-image flow as soon as upstream coverage is available.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle WebCenter Portal
    12.2.1.4.0 · 14.1.2.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References