How is CVE-2026-35324 exploited?

Network reachability (required): The attacker must be able to reach the Content Server over the network via HTTP; no local or physical access is required. Authentication (required): The attacker must hold a valid low-privilege account on the system; unauthenticated access is not sufficient. Victim interaction (not-required): No action from a legitimate user is needed; the attacker can exploit the vulnerability entirely on their own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental variables.

What is the impact of CVE-2026-35324?

A successful attacker reads all content, documents, and credentials stored in the WebCenter Content repository. The attacker modifies or deletes persisted content, metadata, and configuration within the Content Server. The attacker crashes or renders the Content Server unavailable, disrupting dependent workflows and integrations. Combined control over confidentiality, integrity, and availability amounts to full instance takeover.

Back to search

HIGHCVE-2026-35324Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-35324: Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server)

Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unspecified high-severity vulnerability affects the Content Server component of Oracle WebCenter Content, part of Oracle Fusion Middleware, in versions 12.2.1.4.0 and 14.1.2.0.0. The flaw is reachable over the network via HTTP and requires only a low-privileged account, with no user interaction needed. Successful exploitation gives an attacker full takeover of the affected WebCenter Content instance, impacting confidentiality, integrity, and availability. No fix has been published yet; HarborGuard is tracking the advisory and will surface a patched rebuild the moment Oracle ships a corrected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle WebCenter Content components.

Available

Triage

HarborGuard scores this finding at CVSS 8.8 HIGH and weights it against each environment's compliance policy to determine priority and routing, ensuring the alert reaches the appropriate team inbox inside each customer organization.

Available

Patch

Because no fix version has been published, HarborGuard re-evaluates the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Content Server over the network via HTTP; no local or physical access is required.
AuthenticationRequired
The attacker must hold a valid low-privilege account on the system; unauthenticated access is not sufficient.
Victim interactionNot required
No action from a legitimate user is needed; the attacker can exploit the vulnerability entirely on their own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental variables.

Blast Radius

A successful attacker reads all content, documents, and credentials stored in the WebCenter Content repository.
The attacker modifies or deletes persisted content, metadata, and configuration within the Content Server.
The attacker crashes or renders the Content Server unavailable, disrupting dependent workflows and integrations.
Combined control over confidentiality, integrity, and availability amounts to full instance takeover.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged immediately on any image found to include an affected version of Oracle WebCenter Content (12.2.1.4.0 or 14.1.2.0.0). Because Oracle has not yet published a fix, no patched rebuild is currently available. HarborGuard re-checks the Oracle advisory feed on every ingest cycle; when a corrected version is released, a patched rebuild will become available and, for customers with auto-remediation enabled, a regression-tested rebuild and a PR against affected workloads will be generated automatically. In the interim, compensating controls to consider include network-policy isolation that restricts HTTP access to the Content Server to only trusted internal sources, egress filtering to limit lateral movement if a breach occurs, and review of which accounts hold the low-privilege credentials that would satisfy the PR:L requirement, reducing the pool of potential attackers.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle WebCenter Content
12.2.1.4.0 · 14.1.2.0.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified