CVE-2026-46845: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. in Oracle Corporation Oracle WebCenter Portal
CVE-2026-46845 is a critical vulnerability in Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0. It allows an unauthenticated attacker with network access via HTTPS to fully compromise the Oracle WebCenter Portal, potentially leading to complete takeover. The vulnerability has a CVSS 3.1 base score of 9.8, indicating high impact on confidentiality, integrity, and availability. Oracle has included this fix in its June 2026 Critical Security Patch Update. Customers are strongly advised to apply the patch promptly to mitigate the risk. Until patched, risk reduction may be possible by blocking required network protocols or restricting privileges, though these may impact functionality.
AI Analysis
Technical Summary
This vulnerability affects the Security Framework component of Oracle WebCenter Portal in versions 12.2.1.4.0 and 14.1.2.0.0. It is easily exploitable remotely without authentication via HTTPS, allowing attackers to compromise the portal completely. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) confirms network attack vector with low attack complexity, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update, which contains 245 security patches across multiple products. Oracle strongly recommends applying these patches immediately to prevent exploitation. Workarounds include blocking network protocols required by the attack or removing unnecessary privileges, but these may disrupt normal operations.
Potential Impact
Successful exploitation can lead to full compromise and takeover of Oracle WebCenter Portal, impacting confidentiality, integrity, and availability of the system. This could allow attackers to access sensitive data, modify or delete content, and disrupt portal services.
Mitigation Recommendations
Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers should apply the June 2026 Critical Security Patch Update without delay to remediate the issue. Until patches are applied, risk can be partially mitigated by blocking network protocols required for exploitation or by removing unnecessary privileges from users, though these measures may affect application functionality. Oracle strongly advises remaining on actively-supported versions and promptly applying security patches.
CVE-2026-46845: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle WebCenter Portal. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Portal. in Oracle Corporation Oracle WebCenter Portal
Description
CVE-2026-46845 is a critical vulnerability in Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0. It allows an unauthenticated attacker with network access via HTTPS to fully compromise the Oracle WebCenter Portal, potentially leading to complete takeover. The vulnerability has a CVSS 3.1 base score of 9.8, indicating high impact on confidentiality, integrity, and availability. Oracle has included this fix in its June 2026 Critical Security Patch Update. Customers are strongly advised to apply the patch promptly to mitigate the risk. Until patched, risk reduction may be possible by blocking required network protocols or restricting privileges, though these may impact functionality.
CVSS v3.1
Score 9.8critical
Affected software
pkg:maven/com.oracle.webcenter/portalRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects the Security Framework component of Oracle WebCenter Portal in versions 12.2.1.4.0 and 14.1.2.0.0. It is easily exploitable remotely without authentication via HTTPS, allowing attackers to compromise the portal completely. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) confirms network attack vector with low attack complexity, no privileges or user interaction required, and full impact on confidentiality, integrity, and availability. Oracle has addressed this vulnerability in its June 2026 Critical Security Patch Update, which contains 245 security patches across multiple products. Oracle strongly recommends applying these patches immediately to prevent exploitation. Workarounds include blocking network protocols required by the attack or removing unnecessary privileges, but these may disrupt normal operations.
Potential Impact
Successful exploitation can lead to full compromise and takeover of Oracle WebCenter Portal, impacting confidentiality, integrity, and availability of the system. This could allow attackers to access sensitive data, modify or delete content, and disrupt portal services.
Mitigation Recommendations
Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers should apply the June 2026 Critical Security Patch Update without delay to remediate the issue. Until patches are applied, risk can be partially mitigated by blocking network protocols required for exploitation or by removing unnecessary privileges from users, though these measures may affect application functionality. Oracle strongly advises remaining on actively-supported versions and promptly applying security patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.306Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b6160b89be68882659d9
Added to database: 6/16/2026, 8:46:14 PM
Last enriched: 6/16/2026, 11:01:09 PM
Last updated: 6/17/2026, 5:02:45 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.