CVE-2026-35281: Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle)
Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical remote code execution vulnerability affects Oracle WebCenter Enterprise Capture (versions 12.2.1.4.0 and 14.1.2.0.0), reachable over the network via the T3 and IIOP protocols with only a low-privilege account. Exploitation results in full takeover of the affected product, and the scope change in the CVSS vector means successful attacks can cascade into compromising additional systems beyond the initial target. No fix versions have been published by Oracle as of the CVE publication date; HarborGuard is tracking the advisory for patch availability.
HarborGuard Coverage
Detection of CVE-2026-35281 is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer images, including custom-built images derived from Oracle Fusion Middleware base layers. Any image in a customer registry or CI pipeline carrying affected versions 12.2.1.4.0 or 14.1.2.0.0 of the Client Bundle component is flagged automatically.
AvailableTriage is available using the published CVSS 3.1 base score of 9.9 (Critical), which HarborGuard surfaces alongside per-environment compliance policy weighting to prioritize the finding appropriately for each org. Routed alerts reach the right inbox or ticketing integration within each customer environment based on the severity tier and policy configuration in place.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle ships a remediated release. In the interim, compensating controls such as network-policy isolation of T3 and IIOP ports, egress filtering, and access restrictions to low-privilege account creation can be applied within affected environments while awaiting an official fix.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle WebCenter Enterprise Capture service over the network via the T3 or IIOP protocol (AV:N).
- AuthenticationRequired
The attacker must hold any low-privilege account; no elevated or administrative credentials are needed (PR:L).
- Victim interactionNot required
No user interaction or social engineering is necessary; the attacker can exploit the vulnerability entirely on their own (UI:N).
- Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental factors required to succeed (AC:L).
Blast Radius
- A successful attacker achieves full takeover of the Oracle WebCenter Enterprise Capture instance, reading all stored documents, credentials, and session data held by the service.
- The attacker can modify or delete persisted capture workflows, document records, and configuration data within the compromised product.
- The service can be crashed or made unavailable, disrupting any business process dependent on the capture pipeline.
- Because the CVSS scope is changed (S:C), the attacker can pivot from the compromised WebCenter instance to compromise additional products or services that share the same host, network segment, or trust boundary.
How HarborGuard Handles This
Available on HarborGuard: because no Oracle patch exists yet for CVE-2026-35281, HarborGuard re-evaluates the advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment Oracle publishes a fix. Until then, customers can use HarborGuard network-policy suggestions to isolate T3 (port 7001/7002 by default) and IIOP listener ports at the container or Kubernetes network-policy level, restricting access to only explicitly authorized service accounts. Egress filtering rules can also be applied to limit the blast radius if a container is compromised. For environments with auto-remediation enabled, a rebuilt image, regression-test run, and a PR against affected workloads will be opened automatically once a fix version is available upstream, with median time from CVE patch publication to merged PR for critical-severity issues around 90 minutes.
- Oracle Corporation / Oracle WebCenter Enterprise Capture12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H