This vulnerability affects Oracle Application Development Framework (ADF) component ADF Faces in versions 12.2.1.4.0 and 14.1.2.0.0. It requires a high privileged attacker who already has logon access to the infrastructure hosting ADF. Exploitation can result in unauthorized access to critical data or complete access to all data accessible via ADF, as well as unauthorized update, insert, or delete operations on some data. The CVSS 3.1 vector indicates local attack vector (AV:L), high attack complexity (AC:H), high privileges required (PR:H), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N), resulting in a base score of 4.7 (medium severity). Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update and advises customers to apply patches without delay.

An attacker with high privileges and logon access to the infrastructure running Oracle ADF can exploit this vulnerability to gain unauthorized access to critical data or all data accessible through ADF. Additionally, the attacker can perform unauthorized data modifications including update, insert, or delete operations on some of the accessible data. This compromises confidentiality and integrity of the affected system's data. There is no impact on availability.

Oracle has released patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers are strongly advised to apply these security patches promptly to mitigate the risk. Until patches are applied, risk reduction may be possible by restricting network protocols required for exploitation and by removing unnecessary privileges or package access from users who do not require them, although these measures may impact application functionality. Oracle recommends remaining on actively supported versions and applying security patches without delay. Patch status is confirmed by the vendor advisory.