Threat Intelligence Database

CVE-2026-35314 is a high-severity vulnerability in Oracle Access Manager versions 12.2.1.4.0 and 14.1.2.1.0. It allows an unauthenticated attacker with network access via HTTP to perform unauthorized update, insert, or delete operations on some accessible data, read a subset of accessible data, and cause a partial denial of service. The vulnerability affects the Web Server Plugin component of Oracle Fusion Middleware. The CVSS 3.1 base score is 7.3, reflecting impacts on confidentiality, integrity, and availability. Oracle has released a Critical Security Patch Update in June 2026 addressing this and many other vulnerabilities. Customers are strongly advised to apply the patch promptly to mitigate the risk. Until patched, risk reduction may be possible by blocking required network protocols or limiting privileges, though these may impact functionality.

CVE-2026-35313 is a critical vulnerability in Oracle Access Manager versions 12.2.1.4.0 and 14.1.2.1.0. It allows a low privileged attacker with network access via HTTP to compromise Oracle Access Manager, potentially leading to full takeover. The vulnerability impacts confidentiality, integrity, and availability, with a CVSS 3.1 base score of 9.9. Oracle has included this vulnerability in its June 2026 Critical Security Patch Update advisory, recommending prompt patching. Mitigations include applying the Critical Security Patch Update and restricting network protocols or privileges where feasible until patches are applied. No explicit patch availability or remediation level is stated in the advisory content, but Oracle strongly urges applying the provided patches without delay.

CVE-2026-35261 is a vulnerability in Oracle Access Manager versions 12.2.1.4.0 and 14.1.2.1.0 that allows an unauthenticated attacker with network access via HTTP to perform unauthorized read and write operations on accessible data. The vulnerability affects the Authentication Engine component of Oracle Fusion Middleware. It has a CVSS 3.1 base score of 6.5, indicating a medium severity level. Successful exploitation can lead to unauthorized update, insert, or delete access to some data, as well as unauthorized read access to a subset of data. Oracle has included this vulnerability in its June 2026 Critical Security Patch Update advisory, which contains patches for affected products. Customers are strongly advised to apply the security patches promptly to mitigate the risk. No specific patch version is explicitly stated for Oracle Access Manager in the provided advisory content, but the vendor strongly recommends applying the Critical Security Patch Update. Workarounds include blocking network protocols required by the attack or removing unnecessary privileges, though these may impact functionality.