CVE-2026-46812: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessibl
CVE-2026-46812 is a medium severity vulnerability in Oracle Access Manager versions 12.2.1.4.0 and 14.1.2.1.0. It allows an unauthenticated attacker with network access via HTTP to compromise the product, requiring user interaction from a third party. Successful exploitation can lead to unauthorized read and modification (update, insert, delete) of some Oracle Access Manager accessible data. The vulnerability has a CVSS 3.1 base score of 6.1, reflecting impacts on confidentiality and integrity with no impact on availability. Oracle has released a Critical Security Patch Update in June 2026 addressing this and many other vulnerabilities and strongly recommends applying these patches promptly. Until patched, risk may be reduced by blocking required network protocols or limiting privileges, though these mitigations may impact functionality.
AI Analysis
Technical Summary
CVE-2026-46812 affects Oracle Access Manager's Authentication Engine component in versions 12.2.1.4.0 and 14.1.2.1.0. It is an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Exploitation requires user interaction from someone other than the attacker and can result in unauthorized update, insert, or delete access to some accessible data, as well as unauthorized read access to a subset of data. The vulnerability has a CVSS 3.1 score of 6.1 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and low confidentiality and integrity impacts. Oracle’s June 2026 Critical Security Patch Update includes patches for this vulnerability. Oracle strongly urges customers to apply these patches without delay to mitigate the risk. Workarounds include blocking network protocols required for exploitation and restricting privileges, though these may disrupt normal operations.
Potential Impact
Successful exploitation can lead to unauthorized read access to some Oracle Access Manager data and unauthorized modification (update, insert, delete) of some accessible data. The vulnerability affects confidentiality and integrity but does not impact availability. The attack requires user interaction from a person other than the attacker and network access via HTTP. The vulnerability also has scope change implications, potentially impacting additional products beyond Oracle Access Manager.
Mitigation Recommendations
Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers are strongly advised to apply the June 2026 Critical Security Patch Update promptly to remediate this issue. Until patches are applied, risk may be reduced by blocking network protocols required for the attack and by removing unnecessary privileges or access to certain packages from users who do not require them. However, these mitigations may affect application functionality. Oracle recommends remaining on actively supported versions and applying security patches without delay. Patch status is confirmed by the vendor advisory.
CVE-2026-46812: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Access Manager accessibl
Description
CVE-2026-46812 is a medium severity vulnerability in Oracle Access Manager versions 12.2.1.4.0 and 14.1.2.1.0. It allows an unauthenticated attacker with network access via HTTP to compromise the product, requiring user interaction from a third party. Successful exploitation can lead to unauthorized read and modification (update, insert, delete) of some Oracle Access Manager accessible data. The vulnerability has a CVSS 3.1 base score of 6.1, reflecting impacts on confidentiality and integrity with no impact on availability. Oracle has released a Critical Security Patch Update in June 2026 addressing this and many other vulnerabilities and strongly recommends applying these patches promptly. Until patched, risk may be reduced by blocking required network protocols or limiting privileges, though these mitigations may impact functionality.
CVSS v3.1
Score 6.1medium
Affected software
pkg:maven/com.oracle/access-managerRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46812 affects Oracle Access Manager's Authentication Engine component in versions 12.2.1.4.0 and 14.1.2.1.0. It is an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Exploitation requires user interaction from someone other than the attacker and can result in unauthorized update, insert, or delete access to some accessible data, as well as unauthorized read access to a subset of data. The vulnerability has a CVSS 3.1 score of 6.1 with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and low confidentiality and integrity impacts. Oracle’s June 2026 Critical Security Patch Update includes patches for this vulnerability. Oracle strongly urges customers to apply these patches without delay to mitigate the risk. Workarounds include blocking network protocols required for exploitation and restricting privileges, though these may disrupt normal operations.
Potential Impact
Successful exploitation can lead to unauthorized read access to some Oracle Access Manager data and unauthorized modification (update, insert, delete) of some accessible data. The vulnerability affects confidentiality and integrity but does not impact availability. The attack requires user interaction from a person other than the attacker and network access via HTTP. The vulnerability also has scope change implications, potentially impacting additional products beyond Oracle Access Manager.
Mitigation Recommendations
Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers are strongly advised to apply the June 2026 Critical Security Patch Update promptly to remediate this issue. Until patches are applied, risk may be reduced by blocking network protocols required for the attack and by removing unnecessary privileges or access to certain packages from users who do not require them. However, these mitigations may affect application functionality. Oracle recommends remaining on actively supported versions and applying security patches without delay. Patch status is confirmed by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.301Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b6130b89be68882659a3
Added to database: 6/16/2026, 8:46:11 PM
Last enriched: 6/16/2026, 11:01:59 PM
Last updated: 6/17/2026, 5:09:44 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.