Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35302

CVE-2026-35302: Oracle WebLogic Server Auth Bypass Flaw

CVE-2026-35302 is an authentication bypass vulnerability in Oracle WebLogic Server Console affecting versions 12.2.1.4.0 and 14.1.1.0.0. This critical flaw can lead to complete server takeover. This article covers technical details, affected versions, impact analysis, and mitigation strategies.

Published:

CVE-2026-35302 Overview

CVE-2026-35302 affects the Console component of Oracle WebLogic Server, part of Oracle Fusion Middleware. The flaw is classified under [CWE-601] URL Redirection to Untrusted Site (Open Redirect). An unauthenticated remote attacker with network access over HTTP can exploit the issue, but successful exploitation requires user interaction from a victim other than the attacker. The vulnerability carries a scope change, meaning attacks may impact products beyond WebLogic Server itself.

Critical Impact

Successful exploitation can result in full takeover of Oracle WebLogic Server, with high impact to confidentiality, integrity, and availability across additional connected products.

Affected Products

  • Oracle WebLogic Server 12.2.1.4.0
  • Oracle WebLogic Server 14.1.1.0.0
  • Oracle Fusion Middleware deployments embedding the affected Console component

Discovery Timeline

  • 2026-06-17 - CVE-2026-35302 published to the National Vulnerability Database
  • 2026-06-18 - Last updated in NVD database
  • June 2026 - Oracle published advisory in the Oracle Security Alert June 2026

Technical Details for CVE-2026-35302

Vulnerability Analysis

The vulnerability resides in the WebLogic Server administration Console component. The Console fails to properly validate redirect targets, allowing an attacker to craft HTTP requests that redirect authenticated users to attacker-controlled destinations. This pattern aligns with [CWE-601], URL Redirection to Untrusted Site.

Exploitation requires a privileged user to interact with a malicious link. The interaction triggers the redirect chain that the attacker uses to harvest session material or stage follow-on requests against the Console. Because the vulnerability produces a scope change, the impact extends beyond the WebLogic instance to integrated Fusion Middleware components and downstream applications.

Oracle rates the issue as difficult to exploit due to required user interaction and timing, but rates confidentiality, integrity, and availability impact as high. Successful attack chains lead to takeover of the WebLogic Server process.

Root Cause

The Console component accepts redirect parameters without enforcing strict allow-listing of target hosts or paths. Improper validation of user-controlled URL data allows external destinations to be substituted into authenticated redirect flows. Attackers leverage this flaw to abuse the trust users place in the Oracle Console domain.

Attack Vector

The attack vector is network-based over HTTP and does not require prior authentication on the part of the attacker. An attacker crafts a URL pointing to the legitimate WebLogic Console endpoint with a manipulated redirect parameter. The attacker then delivers the link to an administrator through phishing or another social engineering channel. When the administrator follows the link while authenticated, the Console redirects the session toward an attacker-controlled host that captures credentials or tokens, enabling subsequent takeover actions against the server.

No verified public proof-of-concept code is available at the time of publication. Refer to the Oracle Security Alert June 2026 for vendor technical details.

Detection Methods for CVE-2026-35302

Indicators of Compromise

  • Outbound HTTP redirects from the WebLogic Console to domains outside the organization's approved administrative perimeter.
  • Console access logs containing redirect query parameters with absolute URLs, encoded URLs, or protocol-relative paths.
  • Administrator session activity originating from unexpected source addresses immediately after clicking external links.
  • Unexpected configuration changes or deployment activity in WebLogic following Console authentication events.

Detection Strategies

  • Inspect WebLogic access.log and Console request logs for redirect parameters containing fully qualified external URLs.
  • Correlate phishing email events with subsequent Console authentication and redirect activity for the same user.
  • Alert on Console responses returning HTTP 302 or 303 status codes pointing to non-corporate domains.
  • Monitor administrator account activity for session reuse from geographically inconsistent IP addresses.

Monitoring Recommendations

  • Forward WebLogic Console, Managed Server, and HTTP access logs to a centralized SIEM with retention for forensic review.
  • Apply web application firewall (WAF) rules that flag redirect parameters referencing external hosts.
  • Track privileged WebLogic administrator logins against a baseline of expected source networks.
  • Enable auditing on Oracle Fusion Middleware to capture configuration and deployment changes following Console authentication.

How to Mitigate CVE-2026-35302

Immediate Actions Required

  • Apply the Oracle Critical Patch Update referenced in the Oracle Security Alert June 2026 for all affected WebLogic deployments.
  • Restrict network access to the WebLogic Console to trusted administrative networks using firewall or reverse-proxy rules.
  • Require administrators to authenticate to the Console only from managed workstations and dedicated jump hosts.
  • Brief privileged WebLogic users on the risk of following Console links delivered through email or chat.

Patch Information

Oracle addressed CVE-2026-35302 in the June 2026 Critical Patch Update for Oracle Fusion Middleware. Administrators running WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 must apply the corresponding patch bundle published in the Oracle Security Alert June 2026. Validate patch deployment by checking the WebLogic OPatch inventory and Console version banner after installation.

Workarounds

  • Disable the WebLogic administration Console in production environments where it is not required, using the Console Enabled domain setting.
  • Place the Console behind a reverse proxy that strips or validates redirect query parameters against an allow-list of internal hosts.
  • Enforce HTTP Referer and Origin header checks at the proxy layer to limit cross-site initiated redirects.
  • Require multi-factor authentication for all WebLogic administrative accounts to reduce the value of intercepted sessions.
bash
# Example: restrict Console access via firewall (Linux iptables)
# Allow only the admin jump host to reach the Console port (7001)
iptables -A INPUT -p tcp --dport 7001 -s 10.10.20.5 -j ACCEPT
iptables -A INPUT -p tcp --dport 7001 -j DROP

# Example: disable the Console in a WebLogic domain via WLST
# Run: java weblogic.WLST disable_console.py
#   connect('weblogic','<password>','t3://adminhost:7001')
#   edit()
#   startEdit()
#   cmo.setConsoleEnabled(false)
#   save()
#   activate()

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne