Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35261

CVE-2026-35261: Oracle Access Manager Auth Bypass Flaw

CVE-2026-35261 is an authentication bypass vulnerability in Oracle Access Manager that allows unauthenticated attackers to access and modify sensitive data. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-35261 Overview

CVE-2026-35261 is an authentication-related vulnerability [CWE-287] in the Authentication Engine component of Oracle Access Manager, part of Oracle Fusion Middleware. The flaw allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager without user interaction. Successful exploitation can result in unauthorized update, insert, or delete access to a subset of Oracle Access Manager data, along with unauthorized read access to a subset of that data. Oracle published the advisory in its June 2026 Critical Patch Update.

Critical Impact

Unauthenticated network attackers can modify and read a subset of Oracle Access Manager data over HTTP, undermining the integrity and confidentiality of identity and access management workflows.

Affected Products

  • Oracle Access Manager 12.2.1.4.0
  • Oracle Access Manager 14.1.2.1.0
  • Oracle Fusion Middleware (Authentication Engine component)

Discovery Timeline

  • 2026-06-17 - CVE-2026-35261 published to NVD
  • 2026-06-17 - Last updated in NVD database
  • June 2026 - Oracle Critical Patch Update advisory released

Technical Details for CVE-2026-35261

Vulnerability Analysis

The vulnerability resides in the Authentication Engine of Oracle Access Manager, the core component responsible for verifying user identities and brokering access tokens for downstream Fusion Middleware applications. An attacker reaches the flaw through standard HTTP requests, without prior credentials or social engineering. Oracle classifies the issue as easily exploitable, with the attack surface exposed wherever Access Manager endpoints are reachable on the network.

The impact is partial across two of the three CIA properties. Attackers can perform unauthorized update, insert, or delete operations against a subset of Oracle Access Manager data, and read a subset of accessible data. Availability is not affected, and the attack does not change scope across security boundaries. Because Access Manager handles authentication for federated applications, even partial integrity loss in this component can cascade into downstream identity decisions.

Root Cause

The root cause maps to [CWE-287] Improper Authentication. The Authentication Engine fails to correctly enforce authentication checks on certain HTTP-reachable code paths, allowing requests without valid credentials to influence protected data operations. Oracle has not disclosed lower-level technical details beyond the component and impact classification in its June 2026 Critical Patch Update.

Attack Vector

Exploitation occurs over the network via HTTP. The attacker requires no privileges, no user interaction, and no foothold inside the environment. Any Oracle Access Manager deployment with its HTTP interface reachable by an attacker, whether on the internet or an internal segment, falls within scope. Refer to the Oracle Security Alert for vendor-confirmed exposure details.

Detection Methods for CVE-2026-35261

Indicators of Compromise

  • Unauthenticated HTTP requests to Oracle Access Manager endpoints that result in successful write, update, or delete operations in audit logs.
  • Unexpected modifications to Access Manager policy, session, or user-mapping data not tied to an administrator session.
  • Anomalous read access patterns against Access Manager data stores from unrecognized source IPs.

Detection Strategies

  • Enable verbose auditing on the Oracle Access Manager Authentication Engine and review requests lacking a valid authenticated principal that still trigger data changes.
  • Correlate web access logs from the OAM front-end with backend data store activity to identify HTTP requests that drive unauthorized modifications.
  • Baseline normal administrator traffic to OAM management endpoints and alert on deviations in source, frequency, or operation type.

Monitoring Recommendations

  • Forward Oracle Access Manager audit and HTTP server logs to a centralized log platform with retention sufficient for incident response.
  • Alert on HTTP 200 responses to authentication or policy endpoints when the request contains no session token or authenticated user context.
  • Monitor configuration and identity store changes against an approved change-management baseline.

How to Mitigate CVE-2026-35261

Immediate Actions Required

  • Apply the fixes from the Oracle June 2026 Critical Patch Update to all Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 deployments.
  • Inventory all Access Manager instances, including non-production environments, and confirm patch status for each.
  • Restrict network exposure of Oracle Access Manager HTTP endpoints to required client networks until patching is verified.

Patch Information

Oracle addresses CVE-2026-35261 in the June 2026 Critical Patch Update for Oracle Fusion Middleware. Administrators should consult the Oracle Security Alert for patch identifiers, prerequisites, and post-installation steps specific to each supported version.

Workarounds

  • Place Oracle Access Manager behind a reverse proxy or web application firewall configured to reject anonymous requests to authentication and administrative paths.
  • Apply strict network segmentation so that only trusted application tiers can reach the OAM Authentication Engine over HTTP.
  • Increase audit log verbosity and shorten review intervals on Access Manager data stores until the patch is deployed.
bash
# Configuration example: restrict HTTP access to OAM at the network edge
# Example iptables rule limiting OAM port 14100 to a trusted application subnet
iptables -A INPUT -p tcp --dport 14100 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 14100 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.