A critical vulnerability in Oracle Access Manager permits low-privileged attackers to gain full system control through the authentication engine.

This vulnerability exists in the Authentication Engine of Oracle Access Manager. It is easily exploitable over HTTP by a low-privileged attacker, leading to a scope change and complete takeover of the Access Manager.

The CVSS score of 9.9 underscores the severe risk this vulnerability presents. As a core authentication component, a compromise of Oracle Access Manager could lead to widespread unauthorized access, credential theft, and the subversion of security controls across the entire enterprise application environment.

Immediate Action: Apply the latest security patches for Oracle Access Manager as detailed in the Oracle Security Alert for June 2026.

Proactive Monitoring: Monitor authentication logs for unusual behavior or high-frequency login failures, and review system logs for indicators of unauthorized administrative actions.

Compensating Controls: Deploy WAF rules designed to block malicious HTTP requests targeting the authentication engine and restrict access to the Access Manager console to known, secure IP ranges.

Public Exploit Available: False

Securing the authentication engine is paramount. Given the high criticality of this vulnerability, administrators should expedite the patching of all Oracle Access Manager instances to prevent the potential for widespread security failure.