CVE-2026-46812 Overview
CVE-2026-46812 is a vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware, specifically in the Authentication Engine component. The flaw affects supported versions 12.2.1.4.0 and 14.1.2.1.0. An unauthenticated attacker with network access via HTTP can exploit the vulnerability, though successful attacks require human interaction from a user other than the attacker. The vulnerability carries a scope change, meaning exploitation may significantly impact products beyond Oracle Access Manager itself. The weakness is classified under [CWE-284] (Improper Access Control).
Critical Impact
Successful exploitation can lead to unauthorized update, insert, or delete access to some Oracle Access Manager data, plus unauthorized read access to a subset of that data, with a scope change that extends impact to additional products.
Affected Products
- Oracle Access Manager 12.2.1.4.0
- Oracle Access Manager 14.1.2.1.0
- Oracle Fusion Middleware deployments using the Authentication Engine component
Discovery Timeline
- 2026-06-17 - CVE-2026-46812 published to NVD
- 2026-06-17 - Oracle Critical Patch Update advisory released (Oracle Security Alert)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-46812
Vulnerability Analysis
The vulnerability resides in the Authentication Engine component of Oracle Access Manager (OAM), which handles identity verification flows for Oracle Fusion Middleware deployments. An unauthenticated remote attacker can deliver a crafted HTTP request that, when combined with user interaction such as clicking a malicious link, leads to a compromise of OAM. The attack is network-based and described by Oracle as easily exploitable.
The scope change indicator means the security impact extends beyond OAM into other components that trust OAM-issued authentication state. As a result, exploitation can affect downstream applications that rely on OAM single sign-on (SSO) and federation services. Impact is limited to partial confidentiality and integrity loss, with no availability impact reported.
Root Cause
The root cause is improper access control [CWE-284] in the Authentication Engine. The component does not adequately enforce restrictions on actions that should require authenticated or privileged context. Required user interaction suggests an attack pattern consistent with cross-context request handling, where a victim's browser is leveraged to perform actions against the OAM endpoint.
Attack Vector
The attacker initiates the attack remotely over HTTP without prior credentials. The exploitation chain requires a victim user to interact with attacker-controlled content, such as visiting a malicious page or following a crafted URL. Once the victim's browser issues the request, OAM processes it under conditions that allow unauthorized read and write operations against a subset of OAM-accessible data. Because of scope change, downstream Fusion Middleware applications that consume OAM tokens or sessions may also be affected. No verified proof-of-concept code is publicly available at the time of publication.
Detection Methods for CVE-2026-46812
Indicators of Compromise
- Unexpected HTTP requests to OAM Authentication Engine endpoints originating from external referrers or suspicious user-agents.
- Modification, insertion, or deletion of OAM configuration or policy data without a corresponding administrative session.
- Anomalous SSO token issuance or session establishment events that lack a preceding valid authentication.
Detection Strategies
- Inspect OAM access logs for requests to Authentication Engine URIs that include unusual parameters or originate from off-domain referrers.
- Correlate web application firewall (WAF) and reverse proxy logs with OAM audit logs to identify request flows tied to user-interaction-driven exploitation.
- Hunt for downstream Fusion Middleware authorization events that lack corresponding interactive logins in OAM.
Monitoring Recommendations
- Forward OAM audit and access logs to a centralized SIEM and alert on writes to authentication policies outside change windows.
- Monitor for spikes in failed or partial authentication transactions following user click-throughs from external email or web sources.
- Track outbound HTTP referrers in OAM front-end logs to identify suspicious cross-site initiated requests.
How to Mitigate CVE-2026-46812
Immediate Actions Required
- Apply the Oracle Critical Patch Update from June 2026 to all OAM 12.2.1.4.0 and 14.1.2.1.0 deployments. See the Oracle Security Alert.
- Inventory all Fusion Middleware applications that consume OAM authentication and prioritize patching for internet-facing instances first.
- Review OAM administrative and policy change logs since the publication date for unauthorized modifications.
Patch Information
Oracle addressed CVE-2026-46812 in the June 2026 Critical Patch Update. Administrators should download and apply the patch bundle referenced in the Oracle Security Alert for versions 12.2.1.4.0 and 14.1.2.1.0. Restart affected OAM managed servers after patching and validate authentication flows in a non-production environment before promoting changes.
Workarounds
- Restrict access to OAM Authentication Engine endpoints at the reverse proxy or WAF tier, blocking requests with off-domain referrers where feasible.
- Enforce strict same-site cookie attributes and CSRF protections on OAM front-channel endpoints to reduce the impact of user-interaction-driven attacks.
- User awareness training to reduce the likelihood that authenticated users click on untrusted links targeting OAM endpoints.
# Example: block off-domain referrers to OAM endpoints at an NGINX reverse proxy
location /oam/ {
if ($http_referer !~* ^https?://(.*\.)?example\.com/) {
return 403;
}
proxy_pass http://oam_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

