This vulnerability affects the Security Framework component of Oracle WebCenter Portal in versions 12.2.1.4.0 and 14.1.2.0.0. It is easily exploitable by a low privileged attacker over HTTPS and can lead to complete compromise of the portal, with high impact on confidentiality, integrity, and availability. The vulnerability also has scope change implications, potentially impacting other Oracle products. Oracle has published a Critical Security Patch Update in June 2026 that includes fixes for this vulnerability among 245 others. The vendor strongly advises applying these patches without delay. Workarounds such as blocking network protocols or removing unnecessary privileges may reduce risk temporarily but can disrupt normal operations.

Successful exploitation results in full takeover of Oracle WebCenter Portal, severely impacting confidentiality, integrity, and availability of the affected system. The vulnerability also has the potential to affect additional Oracle products beyond WebCenter Portal due to scope change. The CVSS 3.1 score of 9.9 reflects critical severity with network attack vector, low attack complexity, no user interaction, and privileges required but with complete system compromise possible.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers are strongly advised to apply the security patches as soon as possible to remediate the issue. Until patches are applied, risk may be mitigated by blocking network protocols required for exploitation or by removing unnecessary privileges from users, though these measures may impact application functionality. Oracle recommends remaining on actively supported versions and promptly applying all security updates. Patch status is confirmed by the vendor advisory linked in the input.