This vulnerability exists in the Runtime Tools component of Oracle WebCenter Portal within Oracle Fusion Middleware. It is easily exploitable by an attacker with low privileges and network access over HTTPS, enabling compromise and potential takeover of the Oracle WebCenter Portal. The vulnerability has a CVSS 3.1 base score of 9.9, indicating critical impact on confidentiality, integrity, and availability. Although the vulnerability is specific to Oracle WebCenter Portal versions 12.2.1.4.0 and 14.1.2.0.0, exploitation may have broader impact on other Oracle products. Oracle has published a Critical Security Patch Update in June 2026 addressing this and other vulnerabilities.

Successful exploitation can lead to complete compromise of Oracle WebCenter Portal, affecting confidentiality, integrity, and availability of the system. The vulnerability is exploitable remotely over HTTPS by a low privileged attacker, increasing the risk of widespread impact. Additionally, the scope change indicates that other Oracle products may be indirectly impacted by attacks leveraging this vulnerability.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update immediately to remediate this vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required by an attack and by removing unnecessary privileges from users. Oracle advises customers to remain on actively supported versions and to apply security patches without delay. Patch status is not explicitly confirmed in the advisory text, but the Critical Security Patch Update contains targeted fixes addressing this vulnerability.