Skip to main content

Oracle WebLogic Server CVE-2026-35263

| EUVD-2026-37396 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
Oracle Weblogic Server Authentication Bypass
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable HTTP listener (AV:N), vendor calls it easily exploitable (AC:L), any low-privilege WebLogic account suffices (PR:L), no user interaction, full takeover with cross-component impact (S:C, C/I/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:17 vuln.today

DescriptionCVE.org

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Fusion Middleware, Core component) is achievable by a low-privileged attacker over HTTP, with a CVSS 3.1 score of 9.9 driven by a scope change that lets the impact spread beyond WebLogic itself. Oracle has issued the fix in the June 2026 Critical Patch Update (cspujun2026), and there is no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed WebLogic 14.1.2 / 15.1.1 HTTP listener
Delivery
Obtain low-privilege WebLogic credential
Exploit
Send crafted HTTP request to Core component
Execution
Trigger flaw and execute attacker logic in server context
Persist
Take over WebLogic Server process
Impact
Pivot via scope change into back-end Fusion Middleware and data stores
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires (1) network reachability to a WebLogic Server 14.1.2.0.0 or 15.1.1.0.0 HTTP listener and (2) a valid low-privilege WebLogic account (PR:L) - any authenticated role is sufficient, no admin rights needed; no user interaction is required (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk is high in absolute terms and high in real-world terms. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains or phishes any low-privilege WebLogic account - for example a monitoring user, a service-account credential leaked in a config file, or a weak password on an application role - and sends a crafted HTTP request to a WebLogic-managed endpoint that triggers the Core flaw, gaining full control of the server process and, via the scope change, pivoting into back-end databases, identity stores or other Fusion Middleware components hosted on the same trust boundary. No user interaction is required and attack complexity is low, so the same request can be replayed across an entire fleet once the technique is known; no public exploit is identified at time of analysis.
Remediation Apply the patch shipped in Oracle's June 2026 Critical Patch Update (cspujun2026) - patch available per vendor advisory at https://www.oracle.com/security-alerts/cspujun2026.html - to both 14.1.2.0.0 and 15.1.1.0.0 deployments; Oracle's documented practice is to require the full CPU bundle rather than individual hotfixes. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Conduct inventory of all Oracle WebLogic 14.1.2.0.0 and 15.1.1.0.0 instances; restrict HTTP access to production environments where operationally feasible; document application dependencies on affected versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35292 CRITICAL
10.0 Jun 16

Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network a
CVE-2026-35301 CRITICAL
10.0 Jun 16

Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an u
CVE-2026-35300 CRITICAL
9.8 Jun 16

Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by u
CVE-2026-35298 CRITICAL
9.1 Jun 16

Authenticated takeover of Oracle WebLogic Server (Fusion Middleware Core component) is possible by a high-privileged att
CVE-2026-35299 HIGH
8.8 Jun 16

Authenticated takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is achievable through the administrative Cons

Share

CVE-2026-35263 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy