CVE-2026-35283: Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle)
Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical-severity remote code execution vulnerability affects Oracle WebCenter Enterprise Capture (Client Bundle), versions 12.2.1.4.0 and 14.1.2.0.0. The flaw is reachable over the network via the T3 and IIOP protocols using any low-privilege account, with no victim interaction needed, and carries a scope-change rating meaning a successful attacker can pivot beyond the compromised component. Exploitation results in full takeover of Oracle WebCenter Enterprise Capture, including complete control over confidentiality, integrity, and availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix.
HarborGuard Coverage
Detection capability is available across every HarborGuard environment: the CVE is ingested from Oracle and upstream security feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images layering Oracle Fusion Middleware components.
AvailableHarborGuard is capable of scoring this finding at CVSS 9.9 Critical and weighting it against each environment's compliance policy to flag priority routing; findings are automatically dispatched to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableNo fix version has been published by Oracle for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available immediately once Oracle releases a corrected version; for customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the service over the network via the T3 or IIOP protocol; no local or physical access is needed.
- AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative credentials.
- Victim interactionNot required
No user action or social engineering is needed; the attacker can exploit the service directly without any victim involvement.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental setup.
Blast Radius
- Reads all data stored within Oracle WebCenter Enterprise Capture, including captured documents, metadata, and stored credentials.
- Modifies or deletes persisted capture jobs, document records, and configuration data within the application.
- Crashes or renders the Oracle WebCenter Enterprise Capture service unavailable, disrupting document ingestion workflows.
- Because the CVSS scope is changed, a successful attacker can extend access to additional co-hosted Oracle Fusion Middleware components beyond the directly compromised product.
How HarborGuard Handles This
Available on HarborGuard: detection of this CVE is active for all connected environments, matching images that include Oracle WebCenter Enterprise Capture 12.2.1.4.0 or 14.1.2.0.0 against the advisory record. Because Oracle has not yet published a fix, no patched-image rebuild is currently available. HarborGuard monitors the Oracle advisory and upstream feeds on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is released; for customers with auto-remediation enabled, that will include a regression test run and a PR opened against affected workloads. In the interim, customers should consider applying network-policy controls to restrict T3 and IIOP access to Oracle WebCenter Enterprise Capture to known trusted sources only, and should review egress filtering rules to limit lateral movement in the event of exploitation given the scope-change rating of this CVE.
- Oracle Corporation / Oracle WebCenter Enterprise Capture12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H