CVE-2026-35261 is a vulnerability in Oracle Access Manager's Authentication Engine component affecting versions 12.2.1.4.0 and 14.1.2.1.0. It allows an unauthenticated attacker with network access over HTTP to compromise the system, resulting in unauthorized read and write access to certain accessible data. The CVSS 3.1 base score is 6.5, reflecting low complexity and no required privileges or user interaction for exploitation. Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update, which includes 245 security patches across multiple products. The vendor strongly urges customers to apply these patches without delay. Until patches are applied, risk mitigation may involve blocking relevant network protocols or restricting privileges, though these measures may affect application functionality.

The vulnerability permits an unauthenticated remote attacker to gain unauthorized read access to some Oracle Access Manager data and unauthorized update, insert, or delete access to some accessible data. This compromises confidentiality and integrity but does not affect availability. The CVSS score of 6.5 indicates a medium severity impact. There are no known exploits in the wild at the time of publication.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update, which includes patches addressing this vulnerability. Customers should remain on actively supported versions and apply security patches promptly to mitigate the risk. Until patches are applied, risk can be reduced by blocking network protocols required for exploitation or by removing unnecessary privileges from users, though these workarounds may disrupt application functionality. No official temporary fixes or alternative mitigations are provided by Oracle.