CVE-2026-34305: Oracle WebLogic Server Info Disclosure

CVE-2026-34305 Overview

CVE-2026-34305 is an information disclosure vulnerability in the Web Services component of Oracle WebLogic Server, part of Oracle Fusion Middleware. An unauthenticated attacker with network access via HTTP can exploit the flaw to access sensitive data processed by the server. Oracle disclosed the issue in the April 2026 Critical Patch Update. The weakness is classified as [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor. Affected releases include WebLogic Server 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. Because WebLogic instances frequently host business-critical Java EE applications and expose web service endpoints to internal or external networks, exposure can compromise data confidentiality across dependent applications.

Critical Impact

An unauthenticated remote attacker can obtain unauthorized access to critical data or complete access to all WebLogic Server accessible data over HTTP.

Affected Products

• Oracle WebLogic Server 12.2.1.4.0
• Oracle WebLogic Server 14.1.1.0.0
• Oracle WebLogic Server 14.1.2.0.0
• Oracle WebLogic Server 15.1.1.0.0

Discovery Timeline

• 2026-04-21 - Oracle published the Critical Patch Update Advisory containing CVE-2026-34305
• 2026-04-21 - CVE-2026-34305 published to the National Vulnerability Database (NVD)
• 2026-04-24 - Last updated in NVD database

Technical Details for CVE-2026-34305

Vulnerability Analysis

The vulnerability resides in the Web Services component of Oracle WebLogic Server. The component processes inbound HTTP requests targeting SOAP and related web service endpoints exposed by deployed applications and internal management interfaces. An unauthenticated attacker can craft HTTP requests that cause the server to return data the requestor is not authorized to view. The impact is limited to confidentiality, with no direct integrity or availability impact per the published CVSS vector. The flaw is described by Oracle as easily exploitable, meaning it does not require special conditions, authentication, or user interaction. The EPSS score is 0.048% with a percentile of 15.06, indicating low observed exploitation probability at publication, though WebLogic flaws are historically attractive targets once weaponized.

Root Cause

The root cause is improper restriction of information returned by the Web Services component, mapping to [CWE-200]. Oracle has not published implementation-level details. The bug class typically arises from missing authorization checks on data accessors, verbose error responses, or insecure handling of SOAP message context that leaks server or application state to unauthenticated callers.

Attack Vector

The attack vector is the network. An adversary sends crafted HTTP requests to a reachable WebLogic Web Services endpoint, commonly served on the WebLogic listen port hosting paths such as /ws_utc/, /wls-wsat/, or application-deployed *.wsdl and SOAP endpoints. No credentials and no user interaction are required. Successful exploitation returns data accessible to the WebLogic Server, which may include application records, configuration material, or session-bearing content depending on deployment.

No verified public proof-of-concept code is available at the time of publication. Refer to the Oracle Critical Patch Update Advisory - April 2026 for vendor-supplied technical guidance.

Detection Methods for CVE-2026-34305

Indicators of Compromise

• Unauthenticated HTTP or HTTPS requests to WebLogic Web Services paths such as /ws_utc/*, /wls-wsat/*, or application SOAP endpoints originating from unexpected source IPs.
• Anomalous response sizes from WebLogic Web Services endpoints suggesting bulk data return to anonymous clients.
• Spikes in GET or POST requests for .wsdl, .xsd, or SOAP action URIs without an associated authenticated session.

Detection Strategies

• Inspect WebLogic access.log for sequential probing of Web Services URIs from a single source without prior authentication.
• Deploy WAF rules that flag unauthenticated SOAP requests returning large payloads or HTTP 200 responses for endpoints expected to require authentication.
• Correlate web tier telemetry with application logs to identify data egress patterns tied to anonymous Web Services calls.

Monitoring Recommendations

• Enable verbose HTTP access logging on all WebLogic managed servers and forward logs to a centralized analytics platform.
• Alert on outbound data volumes from WebLogic hosts that deviate from baseline business-hours patterns.
• Track invocation rates per Web Services endpoint and trigger review when unauthenticated traffic exceeds expected thresholds.

How to Mitigate CVE-2026-34305

Immediate Actions Required

• Apply the April 2026 Oracle Critical Patch Update to all WebLogic Server instances running versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0.
• Inventory all internet-exposed WebLogic deployments and restrict management and Web Services endpoints to trusted networks.
• Review web tier access logs for the past 90 days to identify any anomalous unauthenticated requests against Web Services URIs.

Patch Information

Oracle addressed CVE-2026-34305 in the April 2026 Critical Patch Update. Administrators must apply the patch bundle that corresponds to their installed WebLogic release. Full patch identifiers and download instructions are available in the Oracle Critical Patch Update Advisory - April 2026. Oracle states that patches are cumulative and supersede prior fixes for the affected components.

Workarounds

• Place WebLogic Web Services endpoints behind an authenticated reverse proxy or API gateway that enforces access control before traffic reaches the server.
• Disable or undeploy unused Web Services components such as wls-wsat and ws_utc when not required by hosted applications.
• Restrict network access to WebLogic listen ports using firewall rules so that only authorized application tiers and administrators can reach the service.

# Example: restrict WebLogic listen port to internal subnet using iptables
iptables -A INPUT -p tcp --dport 7001 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 7001 -j DROP

# Example: undeploy the wls-wsat application via WLST
# Run within wlst.sh after connecting to the AdminServer
connect('weblogic','<password>','t3://adminhost:7001')
undeploy('wls-wsat', targets='AdminServer')