Skip to main content

Oracle WebLogic Server CVE-2026-35301

| EUVD-2026-37427 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
Oracle Weblogic Server Authentication Bypass
10.0
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

HTTP-reachable Console, no auth or interaction, low complexity, full CIA takeover, and explicit scope change to adjacent middleware all match Oracle's description.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:34 vuln.today

DescriptionCVE.org

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is possible via the Console component, allowing an unauthenticated network attacker to fully compromise the server with a scope change that impacts adjacent products. The CVSS 3.1 base score of 10.0 reflects the worst-case combination of network reachability, low complexity, no privileges, and full CIA impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Scan for exposed WebLogic Console
Delivery
Send crafted HTTP request to /console
Exploit
Bypass authentication on vulnerable component
Install
Execute code as WebLogic process user
C2
Pivot via scope change to middleware
Execute
Deploy malicious WAR for persistence
Impact
Exfiltrate domain credentials and data
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerable WebLogic Administration Console must be reachable over HTTP/HTTPS from the attacker's network position, and the target must be running WebLogic Server 12.2.1.4.0 or 14.1.1.0.0 with the Console component enabled (the default on most domains). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to maximum severity: the CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H yielding 10.0, meaning no authentication, no user interaction, and a scope change that broadens blast radius beyond WebLogic itself. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scanning the internet for exposed WebLogic Console endpoints sends a single crafted HTTP request to the /console path of a 12.2.1.4.0 or 14.1.1.0.0 instance and obtains remote code execution as the WebLogic process user without authenticating. They then pivot through the scope change to read database credentials from the domain config, deploy a malicious WAR for persistence, and move laterally into the application's data tier. …
Remediation Apply the patches distributed in the Oracle Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html for WebLogic Server 12.2.1.4.0 and 14.1.1.0.0; exact post-patch build numbers are documented in that advisory and should be cited from there rather than guessed. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Complete inventory of all Oracle WebLogic Server deployments with versions 12.2.1.4.0 and 14.1.1.0.0, identifying internet-facing or externally-accessible Console components. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-35292 CRITICAL
10.0 Jun 16

Unauthenticated remote takeover in Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Console component) allows network a
CVE-2026-35263 CRITICAL
9.9 Jun 16

Remote takeover of Oracle WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 (Fusion Middleware, Core component) is achievable by
CVE-2026-35300 CRITICAL
9.8 Jun 16

Remote takeover of Oracle WebLogic Server (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) is possible by u
CVE-2026-35298 CRITICAL
9.1 Jun 16

Authenticated takeover of Oracle WebLogic Server (Fusion Middleware Core component) is possible by a high-privileged att
CVE-2026-35299 HIGH
8.8 Jun 16

Authenticated takeover of Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 is achievable through the administrative Cons

Share

CVE-2026-35301 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy