PatchSiren cyber security CVE debrief
CVE-2026-35313 Oracle Corporation CVE debrief
A critical vulnerability was discovered in Oracle Access Manager, a product of Oracle Fusion Middleware, specifically in the Authentication Engine component. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. It is easily exploitable by a low-privileged attacker with network access via HTTP, potentially leading to a takeover of Oracle Access Manager. The CVSS 3.1 Base Score is 9.9, indicating a high impact on confidentiality, integrity, and availability. The vulnerability has a significant impact on affected systems, and organizations should prioritize patching to prevent potential system compromise.
- Vendor
- Oracle Corporation
- Product
- Oracle Access Manager
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-17
Who should care
Organizations using Oracle Access Manager versions 12.2.1.4.0 and 14.1.2.1.0 should prioritize patching this vulnerability to prevent potential system compromise. Affected operators, platforms, and security teams should review the official advisory and CVE record for mitigation guidance.
Technical summary
The vulnerability in Oracle Access Manager's Authentication Engine component can be exploited by a low-privileged attacker with network access via HTTP. Successful attacks can result in the takeover of Oracle Access Manager. The CVSS Vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability has a high impact on confidentiality, integrity, and availability. Organizations should focus on patching affected versions 12.2.1.4.0 and 14.1.2.1.0, and consider compensating controls if immediate patching is not feasible. Evidence from the official CVE record and NVD entry supports this guidance, emphasizing the need for swift mitigation to prevent potential system compromise.
Defensive priority
High
Recommended defensive actions
- Apply the patch from Oracle as soon as possible
- Restrict network access to Oracle Access Manager
- Monitor for suspicious activity
- Review and update access controls
- Consider compensating controls if patching is not immediate
- Review relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-06-17T10:40:23.467Z and last modified on 2026-06-17T20:36:10.937Z. The NVD entry is currently Analyzed. The vulnerability affects Oracle Access Manager versions 12.2.1.4.0 and 14.1.2.1.0. Evidence is based on the official CVE record and NVD entry. Defenders should verify affected product deployments and review official advisories for mitigation guidance.
Official resources
-
CVE-2026-35313 CVE record
CVE.org
-
CVE-2026-35313 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T10:40:23.467Z and has not been modified since then. The NVD entry is currently Analyzed.