CVE-2026-35284: Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle)
Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical remote-code-execution class vulnerability affects Oracle WebCenter Enterprise Capture (Client Bundle component), versions 12.2.1.4.0 and 14.1.2.0.0. The flaw is reachable over the network via the T3 and IIOP protocols with only a low-privilege account, and requires no victim interaction. Successful exploitation gives an attacker full takeover of the affected instance, with scope change indicating impact can spread to additional products in the same environment. No upstream fix has been published yet; HarborGuard is tracking this advisory for patch availability.
HarborGuard Coverage
Detection for CVE-2026-35284 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Oracle WebCenter Enterprise Capture components. Coverage applies to both tagged releases and intermediate build layers.
AvailableHarborGuard is capable of scoring this CVE at its published CVSS 3.1 base score of 9.9 (Critical) and weighting it against each environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy rules.
AvailableBecause no upstream fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle ships a corrected release. For customers with auto-remediation enabled, the rebuild, regression-test run, and pull request against affected workloads will be triggered without manual intervention once a fix version appears.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the service over the network via the T3 or IIOP protocol; internet- or intranet-exposed deployments are directly in scope.
- AuthenticationRequired
A low-privilege account is sufficient; no administrative or elevated credentials are needed to trigger the vulnerability.
- Victim interactionNot required
No victim action is needed; the attacker can exploit the vulnerability entirely without user participation.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other unpredictable environmental factors.
Blast Radius
- Reads all data accessible to the WebCenter Enterprise Capture service, including captured documents, metadata, and stored credentials.
- Modifies or deletes persisted document records and configuration data within the application.
- Crashes or fully disables the WebCenter Enterprise Capture service, interrupting document capture workflows.
- Because the CVSS scope is changed, a successful attacker can pivot to compromise additional products and services running in the same Fusion Middleware environment.
How HarborGuard Handles This
Available on HarborGuard: since Oracle has not yet published a fix for CVE-2026-35284, the platform monitors the Oracle advisory on every ingest cycle and will surface a patched-image rebuild the moment a corrected version is released. In the interim, customers are advised to apply compensating controls through HarborGuard network-policy rules: isolate WebCenter Enterprise Capture pods from untrusted network segments, restrict inbound access to T3 and IIOP ports (typically 7001/7002) to known-good source ranges using egress and ingress filtering, and consider feature-flag or deployment-level gating to disable the Client Bundle component where it is not operationally required. For customers with auto-remediation enabled, once an upstream fix version is published, HarborGuard will rebuild affected images, run regression tests, and open a pull request against impacted workloads without requiring manual steps. Given the 9.9 Critical score and scope-change designation, this advisory is surfaced at the highest urgency tier within HarborGuard triage routing.
- Oracle Corporation / Oracle WebCenter Enterprise Capture12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H