External risk intelligence

Oracle WebCenter Sites Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-46800

A critical vulnerability in Oracle WebCenter Sites allows unauthenticated attackers to compromise the system via network access, potentially leading to a complete takeover and impacting other products. This issue is easily exploitable and carries the highest severity score, necessitating an understanding of its potenti

Missing Authentication

Oracle Webcenter Sites

12.2.1.4.014.1.2.0.0

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Oracle WebCenter Sites is a web content management application. These systems are commonly deployed as internet-facing or externally reachable web applications to serve content or provide administrative interfaces, and the vulnerability is exploitable via HTTP.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle WebCenter Sites, a product used for managing web content. This issue, rated with the highest severity score, allows for easy exploitation by unauthenticated attackers over the network, potentially leading to a complete takeover of the system and impacting other connected products. The main concern is to confirm if our environment is exposed.

Attackers can fully control the system.
Essential to confirm if our Oracle WebCenter Sites is affected.
Understand impact and prioritize exposure verification.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending network requests to an exposed Oracle WebCenter Sites instance. This would allow them to compromise the product, potentially impacting other connected Oracle Fusion Middleware products as well. Successful exploitation could lead to complete takeover of the WebCenter Sites environment.

No authentication required.
Network accessible HTTP.
Complete system takeover.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker with network access via HTTP could potentially take over Oracle WebCenter Sites. This takeover could affect additional products when supported by the advisory.

Oracle WebCenter Sites system data.
Via network access over HTTP.
Full system takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Oracle WebCenter Sites requires immediate attention, likely from platform or application owners responsible for Fusion Middleware. The first step is to confirm the presence and accessibility of affected Oracle WebCenter Sites instances, assess their business criticality, and identify the accountable teams for remediation planning.

Identify accountable application or platform owners.
Verify exposure and business criticality.
Plan risk-based remediation actions.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-46800 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Oracle WebCenter Sites allows an unauthenticated attacker to take over the system, which would likely cause a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle WebCenter Sites?

Oracle WebCenter Sites is a web content management system within the Oracle Fusion Middleware family. Organizations use this platform to create, manage, and deliver dynamic web content and digital experiences across multiple channels. Because it functions as a central hub for web publishing, it often manages complex workflows and sensitive site data.

How does CWE-306 relate to CVE-2026-46800?

This vulnerability is classified as CWE-306, which refers to a Missing Authentication for Critical Function. Essentially, the software fails to verify the identity of a user before performing sensitive operations. In the context of this CVE, it means an attacker can perform restricted actions within the system without providing any credentials, leading to a complete compromise of the application.

Do I need to be authenticated to trigger this vulnerability?

No. The vulnerability does not require any authentication, meaning an attacker does not need a valid user account or login credentials to initiate an attack. The trigger path relies solely on network access via HTTP. It is important to note that actions performed by a legitimate authenticated user within the system do not trigger this specific flaw; it is the absence of authentication checks that creates the risk.

Is my Oracle WebCenter Sites instance at risk?

According to Halo Surface Signal, Oracle WebCenter Sites is often deployed as an internet-facing application to serve public web content. If your instance is reachable over the network, it faces a higher likelihood of risk. Systems that are exposed to the internet are more easily accessible to attackers, increasing the necessity for you to verify if your specific deployment is reachable and which version it is running.

What is the first step for responding to this CVE?

The priority is to locate all instances of Oracle WebCenter Sites within your environment. Once identified, confirm if they are running the affected versions 12.2.1.4.0 or 14.1.2.0.0. After verifying the presence of these versions, assess the business criticality of those specific systems and connect with the relevant platform owners to initiate remediation planning.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.