This vulnerability affects the Security Framework component of Oracle WebCenter Portal in versions 12.2.1.4.0 and 14.1.2.0.0. It is easily exploitable over the network via HTTPS by an attacker with low privileges and no user interaction. Successful exploitation can lead to complete compromise of Oracle WebCenter Portal, with potential collateral impact on other Oracle products. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) reflects network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and high impact on confidentiality, integrity, and availability. Oracle’s June 2026 Critical Security Patch Update includes fixes for this vulnerability. The vendor strongly recommends applying these patches immediately to prevent exploitation.

Exploitation of this vulnerability can result in full takeover of Oracle WebCenter Portal, compromising confidentiality, integrity, and availability of the affected system. The vulnerability also has scope to impact additional Oracle products beyond WebCenter Portal. Given the critical CVSS score of 9.9, the impact is severe and could lead to significant operational disruption and data compromise if exploited.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers should apply the June 2026 Critical Security Patch Update without delay to remediate this issue. Until patches are applied, risk may be reduced by blocking network protocols required by an attack or by removing unnecessary privileges from users, though these measures may impact application functionality. Oracle strongly recommends remaining on actively-supported versions and applying security patches promptly. Patch status is confirmed by the vendor advisory linked.