This vulnerability affects the Composer component of Oracle WebCenter Portal in versions 12.2.1.4.0 and 14.1.2.0.0. It is easily exploitable by a low privileged attacker with network access over HTTP and can lead to complete takeover of the Oracle WebCenter Portal. The vulnerability also has scope change implications, potentially affecting other Oracle products. The CVSS 3.1 vector indicates network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and high impacts on confidentiality, integrity, and availability. Oracle's June 2026 Critical Security Patch Update includes patches addressing this vulnerability. Oracle strongly recommends applying these patches without delay to prevent exploitation.

Successful exploitation of CVE-2026-46765 can result in full compromise of Oracle WebCenter Portal, including complete loss of confidentiality, integrity, and availability of the affected system. The vulnerability's scope change means that other Oracle products integrated or dependent on WebCenter Portal may also be impacted. This could lead to significant operational disruption and data breaches within affected environments.

Oracle has released patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers should apply these patches promptly to remediate the vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required by the attack and by removing unnecessary privileges or access to vulnerable components from users. However, these workarounds may impact application functionality. Oracle strongly recommends staying on actively supported versions and applying security patches without delay. Patch status is confirmed by the vendor advisory linked.