How is CVE-2026-35263 exploited?

Network reachability (required): The attacker must reach the WebLogic Server over the network via HTTP; no local or physical access is required. Authentication (required): Any low-privileged account is sufficient; the attacker does not need administrative or elevated credentials. Victim interaction (not-required): No user action or social-engineering step is needed; the attacker can exploit the vulnerability entirely on their own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-35263?

Reads all data accessible to the WebLogic Server process, including credentials, session tokens, and application secrets. Modifies or deletes application data, configuration files, and persisted state managed by the server. Crashes or fully disables the WebLogic Server instance, taking down dependent applications and services. Impacts extend beyond the compromised server itself (scope change), meaning adjacent systems and services in the same environment are also at risk of being reached or disrupted.

Back to search

CRITICALCVE-2026-35263Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-35263: Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core)

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a critical remote code execution vulnerability in Oracle WebLogic Server (Core component), affecting versions 14.1.2.0.0 and 15.1.1.0.0. It is reachable over the network via HTTP and requires only a low-privileged account, with no victim interaction needed. Successful exploitation gives an attacker full takeover of the WebLogic Server instance, with impacts that spill beyond the server itself into adjacent systems (scope change). No fix version has been published yet; HarborGuard is tracking the advisory and will surface a patched-image rebuild the moment Oracle ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-35263 is available across every HarborGuard environment, with the CVE matched against container images in customer registries and CI/CD pipelines within minutes of publication. This coverage extends to custom-built images that bundle WebLogic Server at the affected versions.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 base score of 9.9 (Critical) and weighting it against each environment's compliance policy to determine priority. Findings are routed to the appropriate inbox within each customer organization based on configured escalation rules.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, compensating controls such as network-policy isolation and egress filtering can be applied through HarborGuard's policy engine where supported by customer configuration.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WebLogic Server over the network via HTTP; no local or physical access is required.
AuthenticationRequired
Any low-privileged account is sufficient; the attacker does not need administrative or elevated credentials.
Victim interactionNot required
No user action or social-engineering step is needed; the attacker can exploit the vulnerability entirely on their own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

Reads all data accessible to the WebLogic Server process, including credentials, session tokens, and application secrets.
Modifies or deletes application data, configuration files, and persisted state managed by the server.
Crashes or fully disables the WebLogic Server instance, taking down dependent applications and services.
Impacts extend beyond the compromised server itself (scope change), meaning adjacent systems and services in the same environment are also at risk of being reached or disrupted.

How HarborGuard Handles This

Available on HarborGuard: because no Oracle patch exists yet, HarborGuard continuously re-evaluates the advisory on every ingest cycle so that a patched-image rebuild becomes available the moment Oracle publishes a fix. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention. While waiting for an upstream fix, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation to restrict HTTP access to WebLogic endpoints, egress filtering to limit lateral reach in the event of compromise, and feature-flag gating to disable non-essential Core component endpoints where the application permits. The CVE is flagged Critical and will be re-evaluated and re-routed automatically if Oracle revises the advisory or publishes a patch.

See how HarborGuard automates this

Affected packages

Oracle Corporation / WebLogic Server
14.1.2.0.0 · 15.1.1.0.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified