Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35263

CVE-2026-35263: Oracle WebLogic Server RCE Vulnerability

CVE-2026-35263 is a remote code execution vulnerability in Oracle WebLogic Server affecting versions 14.1.2.0.0 and 15.1.1.0.0. This critical flaw allows attackers to take over the server. Learn about technical details, impact, and mitigation.

Published:

CVE-2026-35263 Overview

CVE-2026-35263 is a critical access control vulnerability [CWE-284] in the Core component of Oracle WebLogic Server, part of Oracle Fusion Middleware. The flaw affects supported versions 14.1.2.0.0 and 15.1.1.0.0. A low-privileged attacker with network access via HTTP can exploit this issue to achieve full takeover of the WebLogic Server. The vulnerability carries a scope change, meaning successful exploitation can impact components beyond the WebLogic Server itself. Oracle disclosed the issue in its June 2026 Critical Patch Update.

Critical Impact

Successful exploitation results in complete takeover of WebLogic Server with high impact to confidentiality, integrity, and availability, and may compromise additional downstream products through scope change.

Affected Products

  • Oracle WebLogic Server 14.1.2.0.0
  • Oracle WebLogic Server 15.1.1.0.0
  • Oracle Fusion Middleware deployments embedding the affected WebLogic Core component

Discovery Timeline

  • 2026-06-17 - CVE-2026-35263 published to the National Vulnerability Database (NVD)
  • 2026-06-18 - Last updated in the NVD database
  • 2026-06-17 - Oracle published security alert in the June 2026 Critical Patch Update (Oracle Security Alert)

Technical Details for CVE-2026-35263

Vulnerability Analysis

The vulnerability resides in the Core component of Oracle WebLogic Server. It allows an authenticated attacker holding only low-tier privileges to compromise the server over HTTP. Oracle classifies the issue as easily exploitable, requiring no user interaction and minimal attack complexity. The scope change indicator means an attacker who takes over WebLogic can pivot to affect resources managed by other security authorities. The Exploit Prediction Scoring System (EPSS) currently places this CVE at the 22nd percentile, but the underlying takeover impact warrants prioritized remediation regardless of probabilistic forecasts.

Root Cause

The weakness is categorized as Improper Access Control [CWE-284] within the WebLogic Core. Oracle's advisory does not disclose internal specifics, but CWE-284 in middleware of this class typically indicates missing or insufficient enforcement of authorization checks on privileged operations exposed through HTTP request handlers. The flaw enables an authenticated low-privilege session to perform actions reserved for higher privilege contexts.

Attack Vector

The attack vector is network-based over HTTP. An attacker requires valid credentials with only low privileges, such as a standard application user account on the WebLogic domain. No user interaction is needed. After authentication, the attacker issues crafted HTTP requests to the vulnerable Core endpoint to escalate control over the server. Because WebLogic frequently fronts business-critical Java EE workloads, server takeover can yield access to application data, credentials, JNDI bindings, and connected databases.

No public proof-of-concept code or in-the-wild exploitation has been documented at the time of writing. Refer to the Oracle Security Alert for vendor-supplied technical context.

Detection Methods for CVE-2026-35263

Indicators of Compromise

  • Unexpected HTTP requests from authenticated low-privilege accounts targeting WebLogic administrative or Core endpoints such as /console, /management, or /wls-wsat.
  • Creation of new administrative users, roles, or JNDI bindings outside change-management windows.
  • Outbound connections initiated by the WebLogic JVM (java process) to unfamiliar external hosts following authenticated HTTP sessions.
  • New or modified deployments (.war, .ear) or scheduled work managers introduced without a corresponding deployment ticket.

Detection Strategies

  • Correlate WebLogic access logs with authentication audit records to identify low-privileged accounts invoking privileged Core operations.
  • Inspect WebLogic AdminServer.log and access.log for anomalous HTTP verbs, parameter tampering, and unexpected 200 responses on management URIs.
  • Hunt for child processes spawned by the WebLogic JVM, including shells, scripting interpreters, or LOLBins, which indicate post-exploitation activity.
  • Apply behavioral analytics on identity telemetry to flag privilege transitions where a non-admin account performs administrator-equivalent actions.

Monitoring Recommendations

  • Forward WebLogic domain, access, and audit logs to a centralized SIEM or data lake for retention and correlation with identity telemetry.
  • Baseline normal HTTP request patterns to /console and management endpoints and alert on deviations from authenticated low-privilege users.
  • Monitor file system changes under $DOMAIN_HOME, particularly the servers/<server>/upload and autodeploy directories.
  • Track outbound network connections from WebLogic hosts and alert on connections to non-approved destinations.

How to Mitigate CVE-2026-35263

Immediate Actions Required

  • Apply the Oracle June 2026 Critical Patch Update to all WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 instances without delay.
  • Inventory every WebLogic deployment across the environment, including embedded Fusion Middleware stacks, and confirm version status.
  • Rotate WebLogic administrator credentials and review all user accounts for unexpected privilege grants.
  • Restrict network exposure of WebLogic administrative interfaces to trusted management networks only.

Patch Information

Oracle addresses CVE-2026-35263 in the June 2026 Critical Patch Update. Detailed patch references and download instructions are available in the Oracle Security Alert. Customers should follow Oracle's documented patch application procedure for their specific WebLogic topology and validate clustered deployments after patching.

Workarounds

  • Block external access to WebLogic administrative consoles and management endpoints using network ACLs or a reverse proxy until patching completes.
  • Enforce strict role-based access control and remove unused low-privilege application accounts that could be abused as a launchpad.
  • Enable WebLogic auditing at the highest practical level to capture authorization decisions on Core operations.
  • Require multi-factor authentication for all WebLogic user accounts where supported by the upstream identity provider.
bash
# Example: restrict WebLogic admin console exposure via iptables
iptables -A INPUT -p tcp --dport 7001 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7001 -j DROP
iptables -A INPUT -p tcp --dport 7002 -s 10.10.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 7002 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne