Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35259

CVE-2026-35259: Oracle WebLogic Server Auth Bypass Flaw

CVE-2026-35259 is an authentication bypass vulnerability in Oracle WebLogic Server Console that allows attackers to take over the system. This article covers technical details, affected versions 14.1.2.0.0 and 15.1.1.0.0, and mitigation.

Published:

CVE-2026-35259 Overview

CVE-2026-35259 is a high-severity vulnerability in the Console component of Oracle WebLogic Server, part of Oracle Fusion Middleware. The flaw affects supported versions 14.1.2.0.0 and 15.1.1.0.0. An unauthenticated remote attacker can exploit it over HTTPS, but successful exploitation requires user interaction from a victim other than the attacker. The vulnerability maps to URL Redirection to Untrusted Site [CWE-601], a classic open-redirect weakness commonly used as a pivot for phishing and credential theft. Oracle published guidance in its Oracle Security Alert advisory.

Critical Impact

Successful exploitation can lead to full takeover of the WebLogic Server, compromising confidentiality, integrity, and availability of hosted applications and data.

Affected Products

  • Oracle WebLogic Server 14.1.2.0.0
  • Oracle WebLogic Server 15.1.1.0.0
  • Oracle Fusion Middleware deployments using the WebLogic Console component

Discovery Timeline

  • 2026-06-17 - CVE-2026-35259 published to NVD
  • 2026-06-18 - Last updated in NVD database
  • 2026-06-17 - Oracle Security Alert published referencing this CVE

Technical Details for CVE-2026-35259

Vulnerability Analysis

The vulnerability resides in the WebLogic Server administrative Console. According to Oracle, the flaw is easily exploitable by an unauthenticated attacker with network access via HTTPS. Exploitation requires interaction from an authenticated administrator or another privileged user. The end result is takeover of the WebLogic Server, with high impact on confidentiality, integrity, and availability.

The weakness is categorized as [CWE-601] URL Redirection to Untrusted Site. Open-redirect flaws in management consoles are frequently chained with social engineering to coerce administrators into clicking attacker-supplied links that load hostile content or replay malicious requests in an authenticated session context.

Root Cause

The root cause is improper validation of user-controlled URL parameters processed by the WebLogic Console. The Console accepts redirect targets without enforcing a strict allow-list of trusted destinations. This allows an attacker to craft a URL hosted on a legitimate WebLogic Console origin that ultimately redirects the victim to attacker-controlled infrastructure.

Attack Vector

The attack vector is network-based and proceeds over HTTPS. An attacker delivers a specially crafted Console URL to a WebLogic administrator through phishing, chat, or another channel. When the administrator interacts with the link while authenticated to the Console, the redirect or follow-on request triggers actions that lead to server takeover. Because the originating link points to the trusted WebLogic host, standard URL inspection by the victim is unlikely to detect the attack.

No public proof-of-concept code is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS score is 0.395% as of 2026-06-18.

Detection Methods for CVE-2026-35259

Indicators of Compromise

  • Unexpected outbound HTTP redirects originating from WebLogic Console URLs containing parameters such as redirect, returnTo, url, or next
  • Console access logs showing administrator sessions following links from external referrers immediately before suspicious administrative activity
  • New or modified WebLogic deployments, data sources, or startup classes shortly after an administrator clicked an external link
  • Authentication events for administrative accounts from unexpected source IPs or user agents

Detection Strategies

  • Inspect WebLogic access.log and Console audit logs for requests containing absolute external URLs in redirect parameters
  • Correlate administrator browser activity with subsequent Console configuration changes to detect interaction-driven attack chains
  • Apply YARA-style or regex rules at the web application firewall layer to flag Console requests with redirect targets outside the organization's trusted domain list
  • Hunt for newly deployed WAR/EAR files or JNDI bindings created within minutes of suspicious Console redirects

Monitoring Recommendations

  • Forward WebLogic Console, domain, and access logs to a centralized SIEM or data lake for correlation across identity, endpoint, and network telemetry
  • Alert on any successful HTTP 3xx response from /console/* paths that targets an external domain
  • Monitor administrative accounts for anomalous session behavior, including geographically improbable logins and out-of-hours configuration changes
  • Track integrity of WebLogic deployment directories such as $DOMAIN_HOME/servers/<server>/upload for unexpected artifacts

How to Mitigate CVE-2026-35259

Immediate Actions Required

  • Apply the Oracle Critical Patch Update referenced in the Oracle Security Alert to all WebLogic 14.1.2.0.0 and 15.1.1.0.0 instances
  • Restrict access to the WebLogic Console to a management VLAN or VPN, eliminating direct internet exposure
  • Require administrators to use dedicated privileged access workstations when interacting with the Console
  • Rotate WebLogic administrator credentials and review recent administrative actions for unauthorized changes

Patch Information

Oracle addressed CVE-2026-35259 in the June 2026 Critical Patch Update. Administrators should consult the Oracle Security Alert for version-specific patch identifiers and apply fixes during the next available maintenance window. Patching is the only complete remediation, as the flaw is server-side and cannot be fully neutralized through configuration alone.

Workarounds

  • Disable the WebLogic Console in production domains where it is not required by setting Console Enabled to false in the domain configuration
  • Place the Console behind a reverse proxy that enforces a strict allow-list of redirect destinations and strips untrusted Location headers
  • Enforce phishing-resistant multi-factor authentication for all WebLogic administrative accounts to limit impact of social-engineering-driven exploitation
  • Train administrators to access the Console only through bookmarked internal URLs and to avoid following Console links received over email or chat
bash
# Disable the WebLogic Administration Console via WLST
connect('weblogic','<password>','t3s://adminhost:7002')
edit()
startEdit()
cmo.setConsoleEnabled(false)
save()
activate()
disconnect()
exit()

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne