CVE-2026-35258 Overview
CVE-2026-35258 affects the Console component of Oracle WebLogic Server, part of Oracle Fusion Middleware. The flaw is classified as an Open Redirect weakness [CWE-601] and impacts WebLogic Server versions 14.1.2.0.0 and 15.1.1.0.0. A low-privileged attacker with network access over HTTPS can exploit the vulnerability when an authenticated user interacts with a crafted link. Successful exploitation produces a scope change, allowing unauthorized creation, deletion, or modification of critical data and unauthorized read access to all WebLogic Server accessible data. Oracle published the fix in the June 2026 Critical Patch Update.
Critical Impact
An attacker can compromise confidentiality and integrity of WebLogic Server data and adjacent products through a user-interaction-based attack against the Console.
Affected Products
- Oracle WebLogic Server 14.1.2.0.0
- Oracle WebLogic Server 15.1.1.0.0
- Oracle Fusion Middleware deployments embedding the affected Console component
Discovery Timeline
- 2026-06-17 - CVE-2026-35258 published to the National Vulnerability Database
- 2026-06-17 - Oracle releases security patch via the June 2026 Critical Patch Update
- 2026-06-18 - Last updated in NVD database
Technical Details for CVE-2026-35258
Vulnerability Analysis
The Console component of Oracle WebLogic Server fails to validate redirect destinations before forwarding authenticated users. An attacker with low-privileged credentials can craft a URL that points to the WebLogic Console but redirects the victim to an attacker-controlled location after interaction. Because the request originates from a trusted WebLogic endpoint, the victim's browser carries session context that the attacker can leverage to manipulate or exfiltrate data.
The issue carries a scope change, meaning impact extends beyond WebLogic Server into adjacent Fusion Middleware components that share trust with the Console. Confidentiality and integrity are affected, while availability is not. Exploitation requires human interaction such as clicking a crafted link, which aligns with typical phishing and watering-hole delivery patterns against administrators.
Root Cause
The root cause is insufficient validation of user-controlled redirect parameters in the WebLogic Console, an instance of CWE-601 (URL Redirection to Untrusted Site). The Console accepts redirect targets without enforcing an allow-list of trusted hosts or relative paths, enabling cross-origin redirection while preserving authentication context.
Attack Vector
The attack vector is network-based over HTTPS and requires the attacker to hold valid low-privileged WebLogic credentials. The attacker sends a crafted Console URL to a privileged user through email, chat, or a malicious page. When the victim follows the link while authenticated, the Console redirects the browser to the attacker-controlled host, where session tokens, CSRF tokens, or further authenticated requests can be harvested or abused to alter WebLogic configuration and data.
No public proof-of-concept code is available. See the Oracle Security Alert for vendor-supplied technical details.
Detection Methods for CVE-2026-35258
Indicators of Compromise
- Outbound HTTP redirects from WebLogic Console URLs to external, non-corporate domains in proxy or web gateway logs.
- WebLogic access logs showing requests to Console endpoints carrying redirect, returnTo, or similar query parameters with absolute URLs.
- Authentication events from low-privileged WebLogic accounts immediately followed by administrator session activity from unexpected source addresses.
Detection Strategies
- Inspect WebLogic Console request logs for redirect parameters containing fully qualified external URLs or encoded protocol handlers.
- Correlate phishing email telemetry referencing WebLogic Console hostnames with subsequent Console logins from the targeted users.
- Baseline normal administrator browsing flows in and out of the Console and alert on deviations to external destinations.
Monitoring Recommendations
- Forward WebLogic access logs, audit logs, and HTTP proxy telemetry to a centralized SIEM for correlation.
- Monitor low-privileged WebLogic accounts for anomalous activity patterns and unusual geolocation changes.
- Track configuration changes inside WebLogic Console and flag modifications that occur shortly after Console redirect events.
How to Mitigate CVE-2026-35258
Immediate Actions Required
- Apply the June 2026 Oracle Critical Patch Update to WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 without delay.
- Restrict network access to the WebLogic Console to trusted administrative subnets or VPN segments only.
- Audit and reduce the number of low-privileged WebLogic accounts that retain Console access.
- Brief administrators on phishing risks involving WebLogic Console links until patching is complete.
Patch Information
Oracle has released fixes for CVE-2026-35258 as part of the June 2026 Critical Patch Update. Apply the patches referenced in the Oracle Security Alert. Validate patch deployment by checking the WebLogic version and reviewing Oracle's post-patch verification steps.
Workarounds
- Place WebLogic Console behind a reverse proxy that rewrites or blocks redirect parameters pointing to external hosts.
- Enforce a strict Content Security Policy and Referrer-Policy on Console responses to limit cross-origin data leakage.
- Disable the WebLogic Console in production environments where it is not actively required and manage the server through WLST instead.
# Example: restrict WebLogic Console exposure at the reverse proxy layer
# (Adapt to your environment - illustrative only)
location /console/ {
allow 10.0.0.0/8; # internal admin network
deny all;
proxy_pass https://weblogic-internal:7002;
proxy_set_header X-Forwarded-Proto https;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
