External risk intelligence

Oracle Access Manager Authentication Engine Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-35313

A critical vulnerability in Oracle Access Manager could allow a low-privileged attacker with network access to take over the system. This could impact other connected products because Oracle Access Manager manages access and authentication. Organizations should confirm if they use this technology and assess potential e

Oracle Access Manager

12.2.1.4.014.1.2.1.0

Halo Surface Signal

Very likely · external exposure

5Halo Surface Signal

Oracle Access Manager is an identity management and access control solution designed to be deployed at the network edge or as a centralized authentication gateway. It is inherently public-facing to facilitate user authentication for web applications and services, making its network-reachable components naturally exposed in standard deployments.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle Access Manager, a component of Oracle Fusion Middleware, that could allow a low-privileged attacker with network access to compromise the system. Successful exploitation may lead to a takeover of Oracle Access Manager, potentially impacting other connected products due to the nature of its function in managing access. The primary concern for leadership is to confirm if this technology is in use and to assess any potential exposure.

  • It's an Oracle Access Manager flaw.
  • Affects critical access control and identity.
  • Confirm relevance and assess any exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted network requests to Oracle Access Manager. This could lead to the complete takeover of the Access Manager system, potentially impacting other connected products.

  • Attacker needs network access.
  • Triggered via HTTP requests.
  • Results in full system takeover.

Live Threat

Current exploitation, exposure, and threat context

A low-privileged attacker with network access could compromise Oracle Access Manager, potentially impacting other connected products. This vulnerability, when exploited, could lead to the complete takeover of the Oracle Access Manager, affecting its ability to manage access and authentication.

  • Oracle Access Manager system data.
  • Via unauthenticated network access.
  • Complete takeover of the service.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for Oracle Access Manager, likely part of an Identity and Access Management (IAM) or Application Platform group, should lead remediation efforts. The first practical step is to inventory all Oracle Access Manager instances, confirm their network reachability and business criticality, and identify the specific application or service owners. Planning for remediation should then be risk-based, considering available maintenance windows and vendor coordination.

  • Ownership likely lies with IAM or platform teams.
  • Verify network exposure and critical assets first.
  • Plan remediation and coordinate with the vendor.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35313 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Oracle Access Manager vulnerability allows an attacker to compromise the system remotely, which could lead to a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle Access Manager?

Oracle Access Manager is a core component of Oracle Fusion Middleware used to manage identity and access control. It acts as a centralized gateway that verifies user credentials and enforces security policies for web applications and services. Because it sits at the intersection of users and enterprise resources, it is often deployed in positions that manage broad access across an organization's software environment.

What does CWE-284 mean for CVE-2026-35313?

CWE-284 refers to Improper Access Control. In the context of this vulnerability, it means the Authentication Engine in Oracle Access Manager fails to properly restrict or verify requests it receives. This weakness allows an attacker to bypass intended security boundaries, granting them unauthorized control over the system's functions. Essentially, the mechanism that is supposed to gate access is itself vulnerable to being subverted.

How is this vulnerability triggered?

The flaw is triggered when an attacker sends specially crafted HTTP requests over the network to the affected Oracle Access Manager component. It does not require complex local access; the attack path relies on the system's ability to process these malicious network communications. Note that this is a network-based issue, meaning it is not triggered by local user actions or physical interaction with the server hardware.

Why is this a risk for my network?

According to Halo Surface Signal, Oracle Access Manager is designed to be a centralized authentication gateway, which often places it at the network edge to serve web applications. Because these components are inherently intended to be network-reachable to facilitate logins, they are naturally exposed. If your instance is reachable via the internet, the barrier for an attacker to reach the vulnerable component is significantly lower than for internal-only systems.

What should I do if I run this software?

Your first step is to inventory all instances of Oracle Access Manager within your environment to determine which versions are in use. Identify the teams responsible for these systems—typically IAM or application platform groups—and confirm their network connectivity status. Once identified, work with these owners to prioritize these assets based on their criticality and plan for maintenance or vendor-supplied updates according to your organization's risk management process.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished