Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35313

CVE-2026-35313: Oracle Access Manager Auth Bypass Flaw

CVE-2026-35313 is an authentication bypass vulnerability in Oracle Access Manager that enables complete system takeover with minimal privileges. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-35313 Overview

CVE-2026-35313 is a critical vulnerability in the Authentication Engine component of Oracle Access Manager, part of Oracle Fusion Middleware. The flaw allows a low-privileged attacker with network access via HTTP to compromise Oracle Access Manager. Successful exploitation results in complete takeover of the affected instance. The vulnerability carries a scope change, meaning attacks may significantly impact additional products beyond Oracle Access Manager itself. Oracle disclosed the issue in the June 2026 Critical Security Patch Update.

Critical Impact

Authenticated attackers with low privileges can take over Oracle Access Manager over the network, with cascading impact to integrated systems due to scope change.

Affected Products

  • Oracle Access Manager version 12.2.1.4.0
  • Oracle Access Manager version 14.1.2.1.0
  • Oracle Fusion Middleware deployments using the Authentication Engine component

Discovery Timeline

  • 2026-06-17 - CVE-2026-35313 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database
  • June 2026 - Oracle published the Critical Security Patch Update advisory

Technical Details for CVE-2026-35313

Vulnerability Analysis

The vulnerability resides in the Authentication Engine of Oracle Access Manager, which handles credential validation, session creation, and federation across Oracle Fusion Middleware. Oracle classifies the weakness under [CWE-284] Improper Access Control. An authenticated attacker holding low privileges can issue crafted HTTP requests that bypass enforcement boundaries and gain full control of the Access Manager instance.

Because Oracle Access Manager brokers authentication for downstream Fusion Middleware applications, compromise produces a scope change. An attacker who takes over the Authentication Engine can mint sessions, forge identities, and pivot into integrated business applications such as ERP, HCM, and custom enterprise portals. The impact extends to confidentiality, integrity, and availability of the wider identity fabric.

Root Cause

The root cause is improper access control within the Authentication Engine. The component does not adequately restrict privileged operations to appropriately authorized actors. Low-privileged accounts can reach functionality that should be limited to administrative roles. Oracle has not published deeper internal details beyond the advisory categorization.

Attack Vector

The attack vector is the network over HTTP. Exploitation requires only valid low-privileged credentials and no user interaction. Attack complexity is low, making the issue practical for credential-stuffing, insider threat, or post-phishing scenarios where any authenticated session exists. The exploit prediction (EPSS) probability is 0.411% at the 32.658 percentile, reflecting low observed exploitation activity at publication.

No public proof-of-concept code or exploit modules are listed in the enriched data. See the Oracle Security Alert for vendor technical details.

Detection Methods for CVE-2026-35313

Indicators of Compromise

  • Unexpected administrative actions in Oracle Access Manager audit logs originating from non-administrative accounts
  • Anomalous session tokens or OAM cookies issued without corresponding successful authentication events
  • HTTP requests targeting Authentication Engine endpoints with unusual parameter sets or sequencing
  • Sudden federation trust changes, policy edits, or identity provider modifications

Detection Strategies

  • Correlate Oracle Access Manager oam_server.log and audit event streams against authentication baselines
  • Alert on privilege use mismatches where low-privileged identities perform administrative API calls
  • Inspect WebGate and reverse proxy logs for HTTP methods or URIs not normally invoked by user roles
  • Hunt for outbound connections from OAM servers to unfamiliar hosts following identity-related requests

Monitoring Recommendations

  • Forward Oracle Access Manager logs to a SIEM or data lake with OCSF normalization for cross-product correlation
  • Track session creation rates and federation assertion volumes for statistical anomalies
  • Monitor changes to OAM policy stores, identity stores, and authentication schemes in near real time
  • Review least-privilege adherence for every OAM service and operator account on a recurring basis

How to Mitigate CVE-2026-35313

Immediate Actions Required

  • Apply the June 2026 Oracle Critical Security Patch Update to Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0
  • Inventory all Oracle Fusion Middleware deployments and confirm Authentication Engine patch status
  • Rotate credentials for OAM service accounts, administrative users, and federation trust secrets after patching
  • Restrict network access to Oracle Access Manager admin and Authentication Engine endpoints to trusted management networks

Patch Information

Oracle released fixes in the June 2026 Critical Security Patch Update. Administrators should consult the Oracle Security Alert for the exact patch bundle, prerequisite versions, and installation order applicable to their Fusion Middleware deployment.

Workarounds

  • Limit HTTP exposure of Oracle Access Manager interfaces using web application firewall rules and network segmentation
  • Enforce strong authentication and conditional access for any account capable of reaching OAM endpoints
  • Reduce the number of accounts holding any privilege within Oracle Access Manager until patching is complete
  • Increase audit verbosity on the Authentication Engine and review logs daily during the remediation window
bash
# Configuration example: restrict access to OAM admin endpoints via reverse proxy ACL
# Replace with your trusted management CIDR ranges
<Location /oamconsole>
    Require ip 10.10.20.0/24
    Require ip 10.10.30.0/24
</Location>

<Location /oam/server>
    Require ip 10.10.20.0/24
</Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.