Skip to main content

Oracle WebLogic Server CVE-2026-35292

| EUVD-2026-37419 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
Oracle Weblogic Server Authentication Bypass
10.0
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Console is reachable over HTTP without authentication or user interaction (AV:N/AC:L/PR:N/UI:N); vendor confirms takeover with cross-product impact, supporting S:C and C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:29 vuln.today

DescriptionCVE.org

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network attackers to fully compromise the server over HTTP with no user interaction, earning the maximum CVSS 10.0 due to a scope change that can impact adjacent products. Oracle's June 2026 Critical Patch Update is the sole intelligence source; no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify exposed WebLogic /console endpoint
Delivery
Send crafted unauthenticated HTTP request
Exploit
Trigger flaw in Console component
Install
Execute code as WebLogic process user
C2
Cross scope into hosted apps and datastores
Execute
Persist via deployed web application
Impact
Exfiltrate or disrupt business data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only HTTP reachability to the WebLogic Administration Console (typically the admin port hosting /console) on a server running 14.1.2.0.0 or 15.1.1.0.0; no credentials, user interaction, or non-default configuration are required per the CVSS PR:N/UI:N vector and Oracle's 'easily exploitable, unauthenticated' description. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All static signals point to maximum severity: CVSS 3.1 base 10.0 with AV:N/AC:L/PR:N/UI:N (no auth, low complexity, network-reachable) plus S:C and C:H/I:H/A:H - Oracle explicitly describes 'takeover' impacting additional products beyond WebLogic itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the WebLogic Administration Console over HTTP - for example, an internet-exposed /console endpoint or a flat corporate network - sends a crafted unauthenticated HTTP request to the Console component, gains code execution in the WebLogic process, and then pivots into hosted applications and back-end databases, leveraging the scope change to compromise systems beyond the WebLogic instance itself. No POC has been published at the time of analysis, but historically equivalent WebLogic Console flaws have seen mass scanning within 72 hours of Oracle CPU release.
Remediation Apply Oracle's June 2026 Critical Patch Update (cpujun2026) immediately to WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 - see https://www.oracle.com/security-alerts/cspujun2026.html for the exact patch bundle; specific patched build numbers are not enumerated in the feed and must be confirmed in the Oracle advisory matrix. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all Oracle WebLogic Server 14.1.x and 15.1.x instances; determine network exposure and accessibility from untrusted sources; review access logs for suspicious activity patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35301 CRITICAL
10.0 Jun 16

Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an u
CVE-2026-35263 CRITICAL
9.9 Jun 16

Remote takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Fusion Middleware, Core component) is achievable by
CVE-2026-35300 CRITICAL
9.8 Jun 16

Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by u
CVE-2026-35298 CRITICAL
9.1 Jun 16

Authenticated takeover of Oracle WebLogic Server (Fusion Middleware Core component) is possible by a high-privileged att
CVE-2026-35299 HIGH
8.8 Jun 16

Authenticated takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is achievable through the administrative Cons

Share

CVE-2026-35292 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy