HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35286Published Modified CNA oracle

CVE-2026-35286: Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server)

Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical unauthenticated remote takeover vulnerability affects Oracle WebCenter Content (Content Server component) in versions 12.2.1.4.0 and 14.1.2.0.0. An attacker reachable over HTTP needs no credentials and no victim interaction to exploit the flaw. Successful exploitation gives the attacker full control of the Content Server instance, including read, write, and disruption of all hosted content. No upstream fix has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available the moment Oracle ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-35286 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication, including custom-built images that bundle Oracle WebCenter Content. Matching covers both registry-resident images and images scanned inline through CI/CD pipelines.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 severity of 9.8 (Critical) and weighting that score against each customer organization's compliance policy to prioritize routing. Triage tickets can be directed to the appropriate team inbox within each customer org based on policy-defined ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, customers can apply compensating controls through HarborGuard policy rules, such as flagging any image containing affected versions as non-deployable until a patch is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Content Server over the network via HTTP; the service is exposed to anyone with network access to it.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerability is exploitable by a completely unauthenticated remote attacker.

  • Victim interactionNot required

    No user action is required; the attacker triggers exploitation entirely without any involvement from a logged-in user or administrator.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race wins, or environmental setup.

Blast Radius

  • A successful attacker reads all content managed by the Content Server, including stored documents, metadata, and any credentials or tokens held in the repository.
  • The attacker can write, modify, or delete persisted content and configuration data, corrupting or replacing managed documents and repository state.
  • The attacker can crash or render the Content Server unavailable, denying access to all users and downstream systems that depend on it.
  • Combined confidentiality, integrity, and availability compromise at the highest level constitutes a full takeover of the Oracle WebCenter Content instance.

How HarborGuard Handles This

Available on HarborGuard: because no Oracle-published fix exists for CVE-2026-35286 at this time, HarborGuard continuously re-ingests the Oracle advisory feed and will make a patched-image rebuild available to affected environments the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention. While no patch is available, customers can use HarborGuard policy controls to mark images containing Oracle WebCenter Content 12.2.1.4.0 or 14.1.2.0.0 as non-deployable, enforce network-policy isolation to restrict inbound HTTP access to Content Server instances, and configure egress filtering to limit the blast radius if a host is compromised. HarborGuard will surface an alert and initiate the rebuild-and-PR flow as soon as upstream remediation is available, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes for environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle WebCenter Content
    12.2.1.4.0 · 14.1.2.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References