HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35270Published Modified CNA oracle

CVE-2026-35270: Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server)

Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical remote takeover vulnerability exists in the Content Server component of Oracle WebCenter Content, part of Oracle Fusion Middleware, affecting versions 12.2.1.4.0 and 14.1.2.0.0. The flaw is reachable over the network via HTTP and requires a high-privileged account, but no victim interaction. Successful exploitation gives an attacker full control over the Content Server instance, with impacts extending to confidentiality, integrity, and availability across additional connected products due to a scope change. No upstream fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-35270 is available across every HarborGuard environment, with ingestion from upstream advisory feeds occurring within minutes of publication and matching performed against all images in customer registries and CI/CD pipelines, including custom-built images that bundle Oracle WebCenter Content components. Any image found running an affected version (12.2.1.4.0 or 14.1.2.0.0) is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at its CVSS v3.1 base score of 9.1 (Critical) and weighting it further against each customer environment's compliance policy to determine urgency. Routed findings land in the inbox of the team or individual designated by that environment's notification rules, ensuring the right people see it without manual triage overhead.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle ships a remediated release. In the interim, customers can use HarborGuard's compensating-control recommendations, including network-policy isolation to restrict HTTP access to the Content Server to known trusted sources, to reduce exposure while waiting for an upstream patch.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle WebCenter Content Server over the network via HTTP; no physical or local access is assumed.

  • AuthenticationRequired

    A high-privileged account (such as an administrator credential) is needed to initiate the attack, though no lower-privilege escalation step is required first.

  • Victim interactionNot required

    No user action or social-engineering step is needed; the attacker can exploit the vulnerability without any involvement from a legitimate user.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • A successful attacker achieves full takeover of the Oracle WebCenter Content instance, reading all stored content, metadata, and credentials held by the server.
  • The attacker can modify or delete any content, configuration, or persisted data managed by Content Server, corrupting document workflows and audit trails.
  • The Content Server process can be crashed or made unavailable, disrupting all dependent document management and publishing workflows.
  • Because the CVSS scope is marked as Changed, exploitation can pivot to compromise additional Oracle Fusion Middleware products that trust or integrate with the affected Content Server.

How HarborGuard Handles This

Available on HarborGuard: this CVE is ingested and matched against customer images within minutes of publication, and any environment running Oracle WebCenter Content 12.2.1.4.0 or 14.1.2.0.0 inside a container image is flagged at Critical severity. Because Oracle has not yet published a fix version, no patched-image rebuild can be generated automatically; however, HarborGuard re-evaluates the advisory on every ingest cycle and will initiate the rebuild-and-PR flow the moment an upstream patch is available. For customers with auto-remediation enabled, that flow delivers a rebuilt image, a regression-test run, and a pull request opened against affected workloads, with median time from CVE publication to merged patch PR for Critical-severity issues around 90 minutes once the upstream fix exists. While waiting for a patch, HarborGuard surfaces compensating-control guidance: apply Kubernetes network policies or firewall rules to restrict HTTP access to the Content Server to only known trusted internal sources, and consider feature-flag or deployment-level gating to take the service offline in environments where it is not actively required.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle WebCenter Content
    12.2.1.4.0 · 14.1.2.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References