PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-35313 Oracle Corporation CVE debrief

A critical vulnerability was discovered in Oracle Access Manager, a product of Oracle Fusion Middleware, specifically in the Authentication Engine component. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0. It is easily exploitable by a low-privileged attacker with network access via HTTP, potentially leading to a takeover of Oracle Access Manager. The CVSS 3.1 Base Score is 9.9, indicating a high impact on confidentiality, integrity, and availability. The vulnerability has a significant impact on affected systems, and organizations should prioritize patching to prevent potential system compromise.

Vendor
Oracle Corporation
Product
Oracle Access Manager
CVSS
CRITICAL 9.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-17
Advisory published
2026-06-17
Advisory updated
2026-06-17

Who should care

Organizations using Oracle Access Manager versions 12.2.1.4.0 and 14.1.2.1.0 should prioritize patching this vulnerability to prevent potential system compromise. Affected operators, platforms, and security teams should review the official advisory and CVE record for mitigation guidance.

Technical summary

The vulnerability in Oracle Access Manager's Authentication Engine component can be exploited by a low-privileged attacker with network access via HTTP. Successful attacks can result in the takeover of Oracle Access Manager. The CVSS Vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability has a high impact on confidentiality, integrity, and availability. Organizations should focus on patching affected versions 12.2.1.4.0 and 14.1.2.1.0, and consider compensating controls if immediate patching is not feasible. Evidence from the official CVE record and NVD entry supports this guidance, emphasizing the need for swift mitigation to prevent potential system compromise.

Defensive priority

High

Recommended defensive actions

  • Apply the patch from Oracle as soon as possible
  • Restrict network access to Oracle Access Manager
  • Monitor for suspicious activity
  • Review and update access controls
  • Consider compensating controls if patching is not immediate
  • Review relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-06-17T10:40:23.467Z and last modified on 2026-06-17T20:36:10.937Z. The NVD entry is currently Analyzed. The vulnerability affects Oracle Access Manager versions 12.2.1.4.0 and 14.1.2.1.0. Evidence is based on the official CVE record and NVD entry. Defenders should verify affected product deployments and review official advisories for mitigation guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T10:40:23.467Z and has not been modified since then. The NVD entry is currently Analyzed.