Skip to main content

Oracle WebLogic Server CVE-2026-35298

| EUVD-2026-37424 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
Oracle Weblogic Server Authentication Bypass
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

HTTP-reachable management surface (AV:N/AC:L), high WebLogic role required per Oracle (PR:H), no user interaction, and confirmed scope change with full C/I/A takeover.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:32 vuln.today

DescriptionCVE.org

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Authenticated takeover of Oracle WebLogic Server (Fusion Middleware Core component) is possible by a high-privileged attacker over HTTP, with a scope change that can impact additional products beyond WebLogic itself. Affected versions are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0, with a CVSS 3.1 base score of 9.1. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain WebLogic high-privilege credentials
Delivery
Reach management HTTP endpoint over network
Exploit
Send crafted request to Core component
Execution
Trigger privileged takeover primitive
Persist
Cross scope into adjacent Fusion Middleware
Impact
Deploy payload or exfiltrate secrets
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must (1) have network reachability to a WebLogic HTTP-exposed endpoint on an affected build (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0) and (2) already hold high WebLogic privileges (CVSS PR:H - typically an Admin, Deployer, or comparable role on the domain). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H produces 9.1 primarily because of the scope change and full impact triad; the PR:H requirement materially limits real-world attackers to those who already hold high WebLogic privileges (e.g., a WebLogic Admin account, a compromised operator credential, or an upstream RCE that yields admin context). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained WebLogic admin or equivalent high-privilege credentials - for example via phishing of a middleware operator, reuse of leaked CPU-era credentials, or pivot from an adjacent compromised app - reaches the WebLogic management HTTP interface over the network and issues a crafted request to the Core component. The request abuses the flaw to take over the WebLogic instance and, due to scope change, pivots into other Fusion Middleware products trusting that WebLogic runtime, ending with deployed malicious applications or extracted secrets. …
Remediation Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for each affected WebLogic Server release line - 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 - patch available per vendor advisory; exact post-patch build numbers should be taken directly from the Oracle CPU patch matrix rather than invented here. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all WebLogic deployments running versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0; restrict administrative network access via firewall rules; enable detailed audit logging of administrative activities. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35292 CRITICAL
10.0 Jun 16

Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network a
CVE-2026-35301 CRITICAL
10.0 Jun 16

Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an u
CVE-2026-35263 CRITICAL
9.9 Jun 16

Remote takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Fusion Middleware, Core component) is achievable by
CVE-2026-35300 CRITICAL
9.8 Jun 16

Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by u
CVE-2026-35299 HIGH
8.8 Jun 16

Authenticated takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is achievable through the administrative Cons

Share

CVE-2026-35298 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy