Skip to main content

Oracle WebCenter Content CVE-2026-35286

| EUVD-2026-37415 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
Oracle Oracle Webcenter Content Authentication Bypass
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Vendor states easily exploitable, unauthenticated, network HTTP access with no user interaction, yielding full takeover - confidentiality, integrity, and availability all High.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:27 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 allows unauthenticated network attackers to fully compromise the Content Server component via HTTP, with no public exploit identified at time of analysis. The CVSS 9.8 score reflects complete confidentiality, integrity, and availability impact, and Oracle disclosed the issue in its June 2026 Critical Patch Update. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed WebCenter Content HTTP endpoint
Delivery
Send crafted unauthenticated request to Content Server
Exploit
Trigger vulnerability in component
Execution
Gain takeover-level control of application
Persist
Access or modify managed content
Impact
Pivot into Fusion Middleware host
Sign in to reveal

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of Oracle WebCenter Content 12.2.1.4.0 or 14.1.2.0.0 with the Content Server HTTP interface reachable by the attacker (CVSS AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Risk is high and concrete: CVSS 3.1 AV:N/AC:L/PR:N/UI:N gives remote, low-complexity, unauthenticated exploitation, and Oracle itself characterizes the flaw as 'easily exploitable' with takeover impact (C:H/I:H/A:H). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the internet identifies an Oracle WebCenter Content server (commonly fingerprinted via /cs/ or /idcplg URLs), sends a crafted HTTP request against the vulnerable Content Server component without supplying credentials, and gains takeover-level control of the application. From there the attacker can read or modify managed documents, pivot into the underlying Fusion Middleware/WebLogic host, and use stored credentials or trust relationships to move laterally; no public exploit is identified at time of analysis, but Oracle CPU bugs of this profile are typically reproduced quickly after disclosure.
Remediation Apply the Oracle June 2026 Critical Patch Update (cspujun2026) immediately to both 12.2.1.4.0 and 14.1.2.0.0 installations per https://www.oracle.com/security-alerts/cspujun2026.html; this is the patch status 'Patch available per vendor advisory' with no separately confirmed point-release number in the supplied data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WebCenter Content deployments; identify systems exposed to untrusted networks and prioritize isolation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35316 CRITICAL
9.9 Jun 16

Account takeover in Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 (Content Server component) allows a low-privilege
CVE-2026-35321 CRITICAL
9.9 Jun 16

Takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is achievable by a low-privileged remote attacker over HT
CVE-2026-35323 CRITICAL
9.9 Jun 16

Takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible by a low-privileged attacker sending HTTP req
CVE-2026-35319 CRITICAL
9.8 Jun 16

Remote unauthenticated takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible via the Content Server
CVE-2026-46766 CRITICAL
9.8 Jun 16

Remote unauthenticated takeover of Oracle WebCenter Content 12.2.1.4.0 and 14.1.2.0.0 is possible via HTTP requests to t

Share

CVE-2026-35286 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy