HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35296Published Modified CNA oracle

CVE-2026-35296: Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites)

Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter Sites). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical unauthenticated remote compromise vulnerability affects Oracle WebCenter Sites versions 12.2.1.4.0 and 14.1.2.0.0, a component of Oracle Fusion Middleware. The flaw is reachable over HTTP from any network, requires no login, no victim interaction, and no special conditions to exploit reliably. Successful exploitation gives an attacker full takeover of the WebCenter Sites instance, covering complete loss of confidentiality, integrity, and availability. No fix version has been published by Oracle; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-35296 is matched against images in customer registries and CI/CD pipelines within minutes of upstream feed ingestion, including custom-built images that bundle Oracle WebCenter Sites at either affected version.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL (CVSS v3.1) and surfaces it at the top of the severity queue in each customer environment; per-environment compliance policy weighting is applied to route the finding to the appropriate team inbox based on the customer's configured ownership rules.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle ships a corrected version. In the interim, compensating-control recommendations (described below) are surfaced in the finding detail for each affected image.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle WebCenter Sites HTTP interface over a network; the service is exposed remotely with no requirement for a privileged network position.

  • AuthenticationNot required

    No account or credential of any privilege level is needed; the attacker interacts with the service as an anonymous HTTP client.

  • Victim interactionNot required

    The attack is fully server-side; no user of the application needs to click a link, open a file, or take any action for exploitation to succeed.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and condition-free with no race conditions, memory-layout dependencies, or environmental prerequisites.

Blast Radius

  • A successful attacker achieves full control of the Oracle WebCenter Sites process, including the ability to read all stored content, configuration, credentials, and session data.
  • The attacker can modify or delete any persisted content, site configuration, or database records managed by the WebCenter Sites application.
  • The attacker can crash or permanently disable the WebCenter Sites service, making managed web properties unavailable.
  • Because the CVSS scope is unchanged, lateral movement beyond the WebCenter Sites boundary depends on host-level privilege and network topology, but the application itself is completely compromised.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-35296, the standard rebuild-and-PR flow is not yet applicable. HarborGuard continuously re-checks the Oracle advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published upstream; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention. While no upstream patch is available, HarborGuard surfaces compensating-control guidance directly in the finding detail for each affected image: restrict inbound HTTP access to Oracle WebCenter Sites behind a network policy that allows only known, trusted sources; apply egress filtering to limit what the compromised process can reach if exploitation occurs; and consider feature-flag gating or temporary disablement of public-facing WebCenter Sites endpoints where business continuity permits. Given the 9.8 CRITICAL score and the zero-barrier exploitation path, treating this as a highest-priority finding until Oracle ships a patch is warranted.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle WebCenter Sites
    12.2.1.4.0 · 14.1.2.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References