CVE-2026-35313 Overview
CVE-2026-35313 is a critical vulnerability in the Authentication Engine component of Oracle Access Manager, part of Oracle Fusion Middleware. The flaw allows a low-privileged attacker with network access via HTTP to compromise Oracle Access Manager. Successful exploitation results in complete takeover of the affected instance. The vulnerability carries a scope change, meaning attacks may significantly impact additional products beyond Oracle Access Manager itself. Oracle disclosed the issue in the June 2026 Critical Security Patch Update.
Critical Impact
Authenticated attackers with low privileges can take over Oracle Access Manager over the network, with cascading impact to integrated systems due to scope change.
Affected Products
- Oracle Access Manager version 12.2.1.4.0
- Oracle Access Manager version 14.1.2.1.0
- Oracle Fusion Middleware deployments using the Authentication Engine component
Discovery Timeline
- 2026-06-17 - CVE-2026-35313 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
- June 2026 - Oracle published the Critical Security Patch Update advisory
Technical Details for CVE-2026-35313
Vulnerability Analysis
The vulnerability resides in the Authentication Engine of Oracle Access Manager, which handles credential validation, session creation, and federation across Oracle Fusion Middleware. Oracle classifies the weakness under [CWE-284] Improper Access Control. An authenticated attacker holding low privileges can issue crafted HTTP requests that bypass enforcement boundaries and gain full control of the Access Manager instance.
Because Oracle Access Manager brokers authentication for downstream Fusion Middleware applications, compromise produces a scope change. An attacker who takes over the Authentication Engine can mint sessions, forge identities, and pivot into integrated business applications such as ERP, HCM, and custom enterprise portals. The impact extends to confidentiality, integrity, and availability of the wider identity fabric.
Root Cause
The root cause is improper access control within the Authentication Engine. The component does not adequately restrict privileged operations to appropriately authorized actors. Low-privileged accounts can reach functionality that should be limited to administrative roles. Oracle has not published deeper internal details beyond the advisory categorization.
Attack Vector
The attack vector is the network over HTTP. Exploitation requires only valid low-privileged credentials and no user interaction. Attack complexity is low, making the issue practical for credential-stuffing, insider threat, or post-phishing scenarios where any authenticated session exists. The exploit prediction (EPSS) probability is 0.411% at the 32.658 percentile, reflecting low observed exploitation activity at publication.
No public proof-of-concept code or exploit modules are listed in the enriched data. See the Oracle Security Alert for vendor technical details.
Detection Methods for CVE-2026-35313
Indicators of Compromise
- Unexpected administrative actions in Oracle Access Manager audit logs originating from non-administrative accounts
- Anomalous session tokens or OAM cookies issued without corresponding successful authentication events
- HTTP requests targeting Authentication Engine endpoints with unusual parameter sets or sequencing
- Sudden federation trust changes, policy edits, or identity provider modifications
Detection Strategies
- Correlate Oracle Access Manager oam_server.log and audit event streams against authentication baselines
- Alert on privilege use mismatches where low-privileged identities perform administrative API calls
- Inspect WebGate and reverse proxy logs for HTTP methods or URIs not normally invoked by user roles
- Hunt for outbound connections from OAM servers to unfamiliar hosts following identity-related requests
Monitoring Recommendations
- Forward Oracle Access Manager logs to a SIEM or data lake with OCSF normalization for cross-product correlation
- Track session creation rates and federation assertion volumes for statistical anomalies
- Monitor changes to OAM policy stores, identity stores, and authentication schemes in near real time
- Review least-privilege adherence for every OAM service and operator account on a recurring basis
How to Mitigate CVE-2026-35313
Immediate Actions Required
- Apply the June 2026 Oracle Critical Security Patch Update to Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0
- Inventory all Oracle Fusion Middleware deployments and confirm Authentication Engine patch status
- Rotate credentials for OAM service accounts, administrative users, and federation trust secrets after patching
- Restrict network access to Oracle Access Manager admin and Authentication Engine endpoints to trusted management networks
Patch Information
Oracle released fixes in the June 2026 Critical Security Patch Update. Administrators should consult the Oracle Security Alert for the exact patch bundle, prerequisite versions, and installation order applicable to their Fusion Middleware deployment.
Workarounds
- Limit HTTP exposure of Oracle Access Manager interfaces using web application firewall rules and network segmentation
- Enforce strong authentication and conditional access for any account capable of reaching OAM endpoints
- Reduce the number of accounts holding any privilege within Oracle Access Manager until patching is complete
- Increase audit verbosity on the Authentication Engine and review logs daily during the remediation window
# Configuration example: restrict access to OAM admin endpoints via reverse proxy ACL
# Replace with your trusted management CIDR ranges
<Location /oamconsole>
Require ip 10.10.20.0/24
Require ip 10.10.30.0/24
</Location>
<Location /oam/server>
Require ip 10.10.20.0/24
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

