CVE-2026-46809: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Sites accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data. in Oracle Corporation Oracle WebCenter Sites
CVE-2026-46809 is a critical vulnerability in Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0. It allows an unauthenticated attacker with network access via HTTP to compromise the product. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data or complete access to all data accessible through Oracle WebCenter Sites. The vulnerability has a CVSS 3.1 base score of 9.1, indicating high confidentiality and integrity impact without availability impact. Oracle has released a Critical Security Patch Update in June 2026 addressing this and many other vulnerabilities. Customers are strongly advised to apply the available patches promptly to mitigate the risk. Until patches are applied, risk reduction may be possible by blocking required network protocols or restricting privileges, though these may impact functionality.
AI Analysis
Technical Summary
CVE-2026-46809 affects Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 and is an easily exploitable vulnerability that allows unauthenticated attackers with network access via HTTP to compromise the system. Exploitation can result in unauthorized creation, deletion, or modification of critical data or complete unauthorized access to all data accessible through Oracle WebCenter Sites. The vulnerability has a CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating network attack vector with low attack complexity, no privileges or user interaction required, and high confidentiality and integrity impact. Oracle's June 2026 Critical Security Patch Update includes patches addressing this vulnerability. Oracle strongly recommends applying these patches immediately. Workarounds such as blocking network protocols or removing unnecessary privileges may reduce risk temporarily but can affect application functionality.
Potential Impact
An unauthenticated attacker with network access via HTTP can exploit this vulnerability to gain unauthorized creation, deletion, or modification access to critical data or full access to all data accessible through Oracle WebCenter Sites. This compromises confidentiality and integrity of the data but does not impact availability. The vulnerability is critical with a CVSS score of 9.1.
Mitigation Recommendations
Oracle has released a Critical Security Patch Update in June 2026 that addresses CVE-2026-46809. Customers should apply the provided security patches without delay to remediate this vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation or by removing unnecessary privileges from users, though these measures may disrupt normal application functionality. Patch status is confirmed by the vendor advisory. No indication of automatic or cloud service patching is present; manual patch application is required.
CVE-2026-46809: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle WebCenter Sites accessible data as well as unauthorized access to critical data or complete access to all Oracle WebCenter Sites accessible data. in Oracle Corporation Oracle WebCenter Sites
Description
CVE-2026-46809 is a critical vulnerability in Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0. It allows an unauthenticated attacker with network access via HTTP to compromise the product. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data or complete access to all data accessible through Oracle WebCenter Sites. The vulnerability has a CVSS 3.1 base score of 9.1, indicating high confidentiality and integrity impact without availability impact. Oracle has released a Critical Security Patch Update in June 2026 addressing this and many other vulnerabilities. Customers are strongly advised to apply the available patches promptly to mitigate the risk. Until patches are applied, risk reduction may be possible by blocking required network protocols or restricting privileges, though these may impact functionality.
CVSS v3.1
Score 9.1critical
Affected software
pkg:maven/com.oracle/webcenter-sitesRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46809 affects Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0 and is an easily exploitable vulnerability that allows unauthenticated attackers with network access via HTTP to compromise the system. Exploitation can result in unauthorized creation, deletion, or modification of critical data or complete unauthorized access to all data accessible through Oracle WebCenter Sites. The vulnerability has a CVSS 3.1 score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating network attack vector with low attack complexity, no privileges or user interaction required, and high confidentiality and integrity impact. Oracle's June 2026 Critical Security Patch Update includes patches addressing this vulnerability. Oracle strongly recommends applying these patches immediately. Workarounds such as blocking network protocols or removing unnecessary privileges may reduce risk temporarily but can affect application functionality.
Potential Impact
An unauthenticated attacker with network access via HTTP can exploit this vulnerability to gain unauthorized creation, deletion, or modification access to critical data or full access to all data accessible through Oracle WebCenter Sites. This compromises confidentiality and integrity of the data but does not impact availability. The vulnerability is critical with a CVSS score of 9.1.
Mitigation Recommendations
Oracle has released a Critical Security Patch Update in June 2026 that addresses CVE-2026-46809. Customers should apply the provided security patches without delay to remediate this vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation or by removing unnecessary privileges from users, though these measures may disrupt normal application functionality. Patch status is confirmed by the vendor advisory. No indication of automatic or cloud service patching is present; manual patch application is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.301Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b6130b89be688826599d
Added to database: 6/16/2026, 8:46:11 PM
Last enriched: 6/16/2026, 11:15:08 PM
Last updated: 6/17/2026, 4:59:00 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.