How is CVE-2026-35299 exploited?

Network reachability (required): The attacker must reach the WebLogic Console over the network via HTTP; no local or physical access is needed. Authentication (required): A low-privilege account is sufficient; any valid WebLogic user credential satisfies this requirement. Victim interaction (not-required): No action from another user or administrator is needed for the attack to succeed. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions or special environmental setup required.

What is the impact of CVE-2026-35299?

A successful attacker reads all data accessible to the WebLogic Server process, including configuration files, credentials, and application data. The attacker can write or modify persisted application data, configurations, and deployed artifacts on the server. The attacker can crash or otherwise disrupt the WebLogic Server process, taking the application offline. Full server takeover is achievable, meaning the attacker can deploy arbitrary code or use the server as a pivot point into adjacent infrastructure.

Back to search

HIGHCVE-2026-35299Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-35299: Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console)

Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic Server. Successful attacks of this vulnerability can result in takeover of WebLogic Server. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication-bypass-adjacent privilege escalation vulnerability affects the Console component of Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0. The flaw is reachable over the network via HTTP and requires only a low-privilege account, with no victim interaction needed. Successful exploitation gives an attacker full control over the WebLogic Server instance, including read, write, and denial-of-service capability. No fix version has been published yet; HarborGuard tracks the upstream advisory and will surface a patched-image rebuild the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-35299 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built images that bundle WebLogic Server.

Available

Triage

Triage capability is available using the CVSS 3.1 base score of 8.8 (HIGH), weighted against each customer environment's compliance policy to prioritize routing. Findings are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, customers with auto-remediation enabled will receive compensating-control guidance surfaced alongside the open finding.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WebLogic Console over the network via HTTP; no local or physical access is needed.
AuthenticationRequired
A low-privilege account is sufficient; any valid WebLogic user credential satisfies this requirement.
Victim interactionNot required
No action from another user or administrator is needed for the attack to succeed.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental setup required.

Blast Radius

A successful attacker reads all data accessible to the WebLogic Server process, including configuration files, credentials, and application data.
The attacker can write or modify persisted application data, configurations, and deployed artifacts on the server.
The attacker can crash or otherwise disrupt the WebLogic Server process, taking the application offline.
Full server takeover is achievable, meaning the attacker can deploy arbitrary code or use the server as a pivot point into adjacent infrastructure.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-35299, the platform monitors the advisory on every ingest cycle and will automatically make a patched-image rebuild available as soon as an upstream fix is released. For customers who opt into auto-remediation, that rebuild will trigger a regression-test run and a PR opened against affected workloads with no manual intervention required. While no patch exists, compensating controls worth enabling include network-policy rules that restrict HTTP access to the WebLogic Console to trusted source CIDRs only, egress filtering to limit lateral movement if the console is compromised, and feature-flag or deployment-config gating to disable the Console component on instances where it is not operationally required. Customers whose compliance policy flags HIGH-severity unpatched CVEs will see this finding routed to the appropriate inbox immediately upon scan.

See how HarborGuard automates this

Affected packages

Oracle Corporation / WebLogic Server
12.2.1.4.0 · 14.1.1.0.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified