CVE-2026-46767: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. in Oracle Corporation Oracle WebCenter Portal
CVE-2026-46767 is a critical vulnerability in Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0. It allows a low privileged attacker with network access via HTTP to compromise the portal, potentially leading to full takeover. The vulnerability impacts confidentiality, integrity, and availability, with a CVSS 3.1 base score of 9.9. Oracle has included this vulnerability in its June 2026 Critical Security Patch Update, which contains numerous security fixes across multiple products. Oracle strongly recommends applying the security patches promptly to mitigate this risk. Until patches are applied, risk may be reduced by blocking required network protocols or restricting privileges, though these may affect functionality.
AI Analysis
Technical Summary
CVE-2026-46767 is a vulnerability in the Composer component of Oracle WebCenter Portal within Oracle Fusion Middleware. It affects versions 12.2.1.4.0 and 14.1.2.0.0. The flaw is easily exploitable by a low privileged attacker with network access over HTTP, enabling compromise and potential takeover of the Oracle WebCenter Portal. The vulnerability has a critical CVSS 3.1 score of 9.9, reflecting high impact on confidentiality, integrity, and availability, and a scope change affecting additional Oracle products. Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update advisory. The advisory emphasizes the importance of applying patches promptly and notes possible interim mitigations such as blocking network protocols or removing unnecessary privileges, though these may disrupt application functionality.
Potential Impact
Successful exploitation allows an attacker with low privileges and network access via HTTP to fully compromise Oracle WebCenter Portal, resulting in complete takeover. This impacts confidentiality, integrity, and availability of the affected system. The vulnerability also has a scope change, meaning attacks may significantly affect other Oracle products beyond WebCenter Portal.
Mitigation Recommendations
Oracle has released security patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches without delay. Until patches are applied, risk can be partially mitigated by blocking network protocols required for the attack or by removing unnecessary privileges from users. However, these mitigations may impact application functionality. Oracle recommends remaining on actively supported versions and promptly applying all relevant security updates. Patch status is confirmed by the vendor advisory linked.
CVE-2026-46767: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Portal. While the vulnerability is in Oracle WebCenter Portal, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. in Oracle Corporation Oracle WebCenter Portal
Description
CVE-2026-46767 is a critical vulnerability in Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0. It allows a low privileged attacker with network access via HTTP to compromise the portal, potentially leading to full takeover. The vulnerability impacts confidentiality, integrity, and availability, with a CVSS 3.1 base score of 9.9. Oracle has included this vulnerability in its June 2026 Critical Security Patch Update, which contains numerous security fixes across multiple products. Oracle strongly recommends applying the security patches promptly to mitigate this risk. Until patches are applied, risk may be reduced by blocking required network protocols or restricting privileges, though these may affect functionality.
CVSS v3.1
Score 9.9critical
Affected software
pkg:maven/com.oracle.webcenter/portalRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46767 is a vulnerability in the Composer component of Oracle WebCenter Portal within Oracle Fusion Middleware. It affects versions 12.2.1.4.0 and 14.1.2.0.0. The flaw is easily exploitable by a low privileged attacker with network access over HTTP, enabling compromise and potential takeover of the Oracle WebCenter Portal. The vulnerability has a critical CVSS 3.1 score of 9.9, reflecting high impact on confidentiality, integrity, and availability, and a scope change affecting additional Oracle products. Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update advisory. The advisory emphasizes the importance of applying patches promptly and notes possible interim mitigations such as blocking network protocols or removing unnecessary privileges, though these may disrupt application functionality.
Potential Impact
Successful exploitation allows an attacker with low privileges and network access via HTTP to fully compromise Oracle WebCenter Portal, resulting in complete takeover. This impacts confidentiality, integrity, and availability of the affected system. The vulnerability also has a scope change, meaning attacks may significantly affect other Oracle products beyond WebCenter Portal.
Mitigation Recommendations
Oracle has released security patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches without delay. Until patches are applied, risk can be partially mitigated by blocking network protocols required for the attack or by removing unnecessary privileges from users. However, these mitigations may impact application functionality. Oracle recommends remaining on actively supported versions and promptly applying all relevant security updates. Patch status is confirmed by the vendor advisory linked.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.296Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b6040b89be68882655f4
Added to database: 6/16/2026, 8:45:56 PM
Last enriched: 6/16/2026, 11:32:29 PM
Last updated: 6/17/2026, 5:00:06 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.