CVE-2026-35323: Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server)
Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical remote code execution vulnerability affects the Content Server component of Oracle WebCenter Content (versions 12.2.1.4.0 and 14.1.2.0.0), part of Oracle Fusion Middleware. The flaw is reachable over HTTP by any low-privileged authenticated user with network access, and the attack is straightforward with no special conditions required. Successful exploitation gives an attacker full control of the Content Server and can spill over to compromise additional products in the same environment. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.
HarborGuard Coverage
Detection of CVE-2026-35323 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including internally built and customized Oracle WebCenter Content images.
AvailableTriage is available with the recorded CVSS 3.1 score of 9.9 (Critical), weighted further by each customer organization's compliance policy to determine urgency and route alerts to the appropriate team inbox within that org.
AvailableBecause no fix version has been published by Oracle, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Content Server over the network via HTTP; the service must be exposed to the attacker's network segment.
- AuthenticationRequired
A valid low-privilege account is sufficient; no administrative or elevated credentials are needed to trigger the vulnerability.
- Victim interactionNot required
No action from another user or administrator is needed; the attacker can exploit the flaw entirely on their own.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions, specific memory layout, or other environmental setup.
Blast Radius
- A successful attacker gains full control of the Oracle WebCenter Content server, including the ability to read all managed documents, stored credentials, and indexed content.
- The attacker can modify or delete content records, configuration, and persisted data within the Content Server.
- The Content Server process can be crashed or made permanently unavailable, disrupting document management workflows.
- Because the CVSS scope is changed, the attacker can pivot to compromise other products and services sharing the same Fusion Middleware environment.
How HarborGuard Handles This
Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-35323, HarborGuard continuously re-checks the advisory on every feed ingest cycle so that a patched-image rebuild becomes available the moment Oracle releases one. In the interim, customers are advised to apply compensating controls: restrict HTTP access to the Content Server to known, authorized network ranges using Kubernetes NetworkPolicy or equivalent egress/ingress filtering; place the service behind an authenticated reverse proxy or API gateway to add an additional authentication layer; and audit low-privilege accounts with access to the affected versions (12.2.1.4.0 and 14.1.2.0.0). When a fix is published and a rebuild is available, customers with auto-remediation enabled will receive an automatic rebuild, a regression-test run, and a PR opened against affected workloads. Customers without auto-remediation will receive an alert with the rebuild reference so they can apply it manually.
- Oracle Corporation / Oracle WebCenter Content12.2.1.4.0 · 14.1.2.0.0
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H