CVE-2026-35280: Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle)
Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical remote-code-execution vulnerability affects Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0), reachable over the network via the T3 and IIOP protocols using any low-privilege account. Successful exploitation gives an attacker full takeover of the affected product, with a scope change meaning the impact can extend to adjacent systems and components beyond the directly targeted service. No vendor patch has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as Oracle releases a fix.
HarborGuard Coverage
Detection of CVE-2026-35280 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Oracle's advisory channel) within minutes of publication and matched against all customer images, including custom-built images that bundle the Oracle WebCenter Enterprise Capture Client Bundle component. Scanning covers both registry-stored images and images in active CI/CD pipelines.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS v3.1 base score of 9.9 (Critical) and weighting it against each customer organization's compliance policy to determine priority. Triage results are routable to the team or inbox configured for Critical-severity findings within each environment.
AvailableBecause no fix version has been published by Oracle, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be initiated without manual intervention as soon as the fix becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the service over the network via the T3 or IIOP protocol; the service must be network-exposed for exploitation to succeed.
- AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative credentials, but must authenticate to the service.
- Victim interactionNot required
No user interaction is needed; the attacker can exploit the vulnerability entirely without involving a logged-in user.
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental factors required to trigger the vulnerability.
Blast Radius
- A successful attacker gains full control over the Oracle WebCenter Enterprise Capture service, including the ability to read all stored documents, captured data, and session credentials.
- The attacker can modify or delete persisted capture workflows, document records, and configuration data.
- The attacker can crash or permanently disable the Capture service, halting document-processing operations.
- Because the CVSS scope is marked as changed, a successful attacker can pivot from the compromised Capture instance to other products and services sharing the same middleware environment.
How HarborGuard Handles This
Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-35280, HarborGuard continuously re-checks the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment Oracle ships a fix. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls are worth considering: network-policy rules that restrict inbound access to the T3 and IIOP ports to only trusted internal sources, egress filtering to limit lateral movement if the service is compromised, and account-level controls that reduce the population of low-privilege accounts able to reach the endpoint. HarborGuard will surface any Oracle-issued advisory update, workaround guidance, or interim patch as soon as it is published.
- Oracle Corporation / Oracle WebCenter Enterprise Capture12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H