Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35314

CVE-2026-35314: Oracle Access Manager Auth Bypass Flaw

CVE-2026-35314 is an authentication bypass vulnerability in Oracle Access Manager's Web Server Plugin that allows unauthenticated attackers to compromise data integrity. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-35314 Overview

CVE-2026-35314 is a high-severity vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware. The flaw resides in the Web Server Plugin and affects supported versions 12.2.1.4.0 and 14.1.2.1.0. An unauthenticated attacker with network access via HTTP can exploit the issue without user interaction. Successful exploitation allows unauthorized read, insert, update, or delete access to a subset of Oracle Access Manager data. Attackers can also trigger a partial denial of service against the identity management service. The weakness is categorized under improper access control [CWE-284].

Critical Impact

Unauthenticated remote attackers can modify or read Oracle Access Manager data and degrade authentication services across enterprise applications relying on Oracle SSO.

Affected Products

  • Oracle Access Manager 12.2.1.4.0
  • Oracle Access Manager 14.1.2.1.0
  • Oracle Fusion Middleware deployments using the Web Server Plugin

Discovery Timeline

  • 2026-06-17 - CVE-2026-35314 published to NVD
  • 2026-06-17 - Last updated in NVD database
  • 2026-06-17 - Oracle released the Oracle Security Alert

Technical Details for CVE-2026-35314

Vulnerability Analysis

The vulnerability exists in the Web Server Plugin component of Oracle Access Manager (OAM). The plugin brokers authentication and authorization requests between web servers and the OAM server, intercepting HTTP traffic to enforce single sign-on policies. An attacker who reaches the plugin over HTTP can bypass intended access controls without supplying credentials.

Exploitation does not require authentication, user interaction, or elevated privileges. The attack delivers crafted HTTP requests across the network to the affected plugin endpoint. Successful attacks yield limited but meaningful confidentiality, integrity, and availability impact across the OAM instance.

Because OAM commonly fronts business-critical applications, even partial data modification can affect downstream identity decisions. The partial denial of service condition can disrupt authentication flows and lock legitimate users out of dependent applications.

Root Cause

Oracle has not disclosed implementation specifics. The Common Weakness Enumeration mapping [CWE-284] indicates improper access control inside the Web Server Plugin request-handling path. The plugin appears to process certain HTTP requests without enforcing the authentication or authorization checks expected for the operations performed.

Attack Vector

The attack vector is network based over HTTP. An attacker sends crafted HTTP requests directly to a web server hosting the OAM Web Server Plugin. No prior account, session, or social engineering is needed. Any Oracle Fusion Middleware deployment exposing the plugin to untrusted networks is reachable. Internet-exposed OAM instances are at greatest risk, but internal attackers on adjacent network segments can also exploit the issue.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.307% at the 22nd percentile as of 2026-06-18.

Detection Methods for CVE-2026-35314

Indicators of Compromise

  • Unexpected HTTP requests to OAM Web Server Plugin endpoints from unauthenticated sources targeting administrative or policy resources.
  • Anomalous modifications to OAM configuration or session data without corresponding administrator activity in audit logs.
  • Spikes in plugin error messages or partial outages of authentication services without operational cause.

Detection Strategies

  • Inspect web server access logs for malformed or unusual HTTP requests sent to OAM plugin URI paths, particularly from external IPs.
  • Correlate OAM audit logs with web server logs to identify state changes that lack matching authenticated sessions.
  • Deploy network signatures on web application firewalls to flag traffic patterns matching Oracle CPU June 2026 advisory guidance.

Monitoring Recommendations

  • Forward OAM, Oracle HTTP Server, and reverse proxy logs to a centralized SIEM for correlation and retention.
  • Alert on authentication failure rate changes and plugin process restarts that may indicate exploitation attempts.
  • Review identity provider downstream applications for unexpected policy decisions or account state changes.

How to Mitigate CVE-2026-35314

Immediate Actions Required

  • Apply the Oracle Critical Patch Update June 2026 to all Oracle Access Manager 12.2.1.4.0 and 14.1.2.1.0 deployments.
  • Restrict network access to the OAM Web Server Plugin to trusted management and application networks only.
  • Audit recent OAM configuration and policy changes for unauthorized modifications.
  • Inventory all Oracle Fusion Middleware instances running the Web Server Plugin to ensure complete patch coverage.

Patch Information

Oracle released fixes for CVE-2026-35314 as part of the June 2026 Critical Patch Update. Administrators must obtain and apply the patches referenced in the Oracle Security Alert. Both supported versions 12.2.1.4.0 and 14.1.2.1.0 require updates. Apply patches in non-production environments first to validate compatibility with existing OAM policies and integrations.

Workarounds

  • Place a web application firewall in front of the OAM plugin to filter unauthenticated requests to sensitive endpoints.
  • Use network access control lists to limit HTTP exposure of OAM plugin hosts to known client systems.
  • Enable verbose auditing on OAM to capture forensic evidence while patches are staged for deployment.
bash
# Configuration example: restrict access at the web server layer
# Apache HTTP Server example for OAM plugin endpoints
<Location /oam>
    Require ip 10.0.0.0/8
    Require ip 192.168.0.0/16
</Location>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.