What is the CVSS score of CVE-2026-35299?

CVE-2026-35299 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.5%.

Which versions of Oracle WebLogic Server are affected by CVE-2026-35299?

Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 contain a vulnerability in the administrative Console that allows any authenticated user to gain complete server control, enabling full…

How to fix or mitigate CVE-2026-35299?

24 HOURS: Audit all Oracle WebLogic Server installations to identify systems running versions 12.2.1.4.0 or 14.1.1.0.0; immediately restrict WebLogic Console network access to administrative networks only and inventory all Console users. 7 DAYS: Implement multi-factor authentication for Console access where technically feasible; deploy network monitoring on Console endpoints (port 7002 by default) to detect exploitation attempts; audit recent Console access logs for suspicious activity. 30 DAYS: Subscribe to Oracle Security Alerts for patch availability; develop and test patch deployment plan; evaluate architectural changes to reduce Console exposure (e.g., administrative bastion hosts, Console access tiering).

Oracle WebLogic Server CVE-2026-35299

EUVD-2026-37425 HIGH

Missing Authentication for Critical Function (CWE-306)

2026-06-16 oracle

Oracle Weblogic Server Authentication Bypass

8.8

CVSS 3.1 · Vendor: oracle

Severity by source

Vendor (oracle) PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.8 HIGH

Console reachable over HTTP (AV:N), no special timing or config (AC:L), any authenticated WebLogic role suffices (PR:L), no user interaction, and full server takeover yields C:H/I:H/A:H within the JVM scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 16, 2026 - 21:32 vuln.today

DescriptionCVE.org

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Authenticated takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is achievable through the administrative Console component, where a low-privileged HTTP-authenticated attacker can fully compromise confidentiality, integrity, and availability of the server. Oracle reports the issue as easily exploitable and rates it CVSS 8.8, though no public exploit identified at time of analysis and the vulnerability is not currently listed in CISA KEV. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Discover exposed WebLogic Console

Delivery

Obtain low-privilege credentials

Exploit

Authenticate to Console over HTTP

Execution

Send crafted request to vulnerable endpoint

Persist

Achieve code execution as WebLogic user

Impact

Deploy webshell or pivot to backend systems

Access

Discover exposed WebLogic Console

Delivery

Obtain low-privilege credentials

Exploit

Authenticate to Console over HTTP

Execution

Send crafted request to vulnerable endpoint

Persist

Achieve code execution as WebLogic user

Impact

Deploy webshell or pivot to backend systems

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) network reachability to the WebLogic administrative Console over HTTP or HTTPS - typically port 7001 or 7002 on the AdminServer, and (2) valid credentials for any WebLogic account with at least a low-privilege role such as Monitor, Operator, or Deployer (PR:L); no user interaction and no elevated administrator role is needed, and the attack works against default configurations of the affected 12.2.1.4.0 and 14.1.1.0.0 versions where the Console is enabled (the default). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H translates to a high-severity, easily exploitable, low-privilege network attack with full triad impact - a realistic priority once a working exploit appears, particularly because WebLogic Consoles are frequently reachable from internal networks and sometimes inadvertently exposed to the internet. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained any low-privileged WebLogic account - for example through credential stuffing against an exposed Console, a phished operator user, or a default account left from a lab deployment - authenticates to the Console over HTTP/HTTPS and issues a crafted request to a vulnerable Console endpoint to escalate to full server takeover, deploying a malicious WAR or executing arbitrary commands as the WebLogic process user. From that foothold the attacker pivots to backend databases, JMS queues, and integrated Fusion Middleware components hosted by the domain. …
Remediation	Apply the patch available per vendor advisory by installing the June 2026 Oracle Critical Patch Update for WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; exact fix patch numbers are listed in the CPU matrix and should be applied to each managed server in the domain followed by a rolling restart. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 HOURS: Audit all Oracle WebLogic Server installations to identify systems running versions 12.2.1.4.0 or 14.1.1.0.0; immediately restrict WebLogic Console network access to administrative networks only and inventory all Console users. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35292 CRITICAL Act Now

10.0 Jun 16

Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network a

CVE-2026-35301 CRITICAL Act Now

10.0 Jun 16

Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an u

CVE-2026-35263 CRITICAL Act Now

9.9 Jun 16

Remote takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Fusion Middleware, Core component) is achievable by

CVE-2026-35300 CRITICAL Act Now

9.8 Jun 16

Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by u

CVE-2026-35298 CRITICAL Act Now

9.1 Jun 16

Authenticated takeover of Oracle WebLogic Server (Fusion Middleware Core component) is possible by a high-privileged att

CVE-2026-35299 vulnerability details – vuln.today

Back

Oracle WebLogic Server CVE-2026-35299

Severity by source

CVSS VectorVendor: oracle

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code