Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35311

CVE-2026-35311: Oracle WebLogic Server RCE Vulnerability

CVE-2026-35311 is a remote code execution vulnerability in Oracle WebLogic Server that allows low-privileged attackers to take over the server. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2026-35311 Overview

CVE-2026-35311 is a high-severity vulnerability in Oracle WebLogic Server, a component of Oracle Fusion Middleware. The flaw resides in the Core component and affects supported versions 12.2.1.4.0 and 14.1.2.0.0. A low-privileged attacker with network access via HTTP can exploit the issue to fully compromise the server.

Successful exploitation results in complete takeover of the WebLogic Server, with high impact to confidentiality, integrity, and availability. Oracle addressed the issue in the June 2026 Critical Patch Update. The weakness maps to [CWE-284: Improper Access Control].

Critical Impact

Authenticated attackers can take over WebLogic Server instances over the network using only HTTP, exposing hosted applications and backend data.

Affected Products

  • Oracle WebLogic Server 12.2.1.4.0
  • Oracle WebLogic Server 14.1.2.0.0
  • Oracle Fusion Middleware deployments embedding the affected WebLogic Core component

Discovery Timeline

Technical Details for CVE-2026-35311

Vulnerability Analysis

The vulnerability exists in the Core component of Oracle WebLogic Server. Oracle classifies it as easily exploitable over the network using HTTP. An attacker authenticated with low privileges can leverage the flaw to escalate access and take control of the server process.

The weakness is categorized under [CWE-284: Improper Access Control]. Access decisions inside the Core component fail to adequately restrict actions available to low-privileged sessions. This allows an authenticated user to reach functionality reserved for higher-privileged roles. The result is full compromise of the WebLogic Server, including hosted Java EE applications, JNDI resources, and credentials stored within domain configuration.

EPSS data from 2026-06-18 lists an exploit probability of 0.389% at the 30.58 percentile. No public proof-of-concept has been published, and CISA has not added the CVE to the Known Exploited Vulnerabilities catalog at the time of writing.

Root Cause

The root cause is improper enforcement of access controls in the WebLogic Server Core. Authorization checks do not sufficiently validate the privileges associated with the calling principal before exposing sensitive server operations to HTTP requests.

Attack Vector

The attack vector is network-based. An attacker sends crafted HTTP requests to a reachable WebLogic Server endpoint using a low-privileged account. No user interaction is required, and attack complexity is low. WebLogic instances exposed to the internet or to broad internal networks present the highest risk.

No verified exploit code is publicly available. Refer to the Oracle Security Alert for vendor technical details.

Detection Methods for CVE-2026-35311

Indicators of Compromise

  • Unexpected administrative actions or deployments performed by low-privileged WebLogic accounts.
  • New or modified Java applications, WAR/EAR files, or startup classes within the WebLogic domain directory.
  • Outbound connections from the WebLogic JVM process to unfamiliar hosts following HTTP requests from low-privileged users.
  • Authentication anomalies in AccessLog.log and *.out server logs preceding privileged operations.

Detection Strategies

  • Monitor WebLogic access and audit logs for low-privileged sessions invoking management or deployment URIs.
  • Correlate HTTP requests to WebLogic Administration Console, /management/*, and /wls-wsat/* paths with the authenticated principal and role.
  • Alert on child processes spawned by the WebLogic JVM (java.exe, java) that launch shells, cmd.exe, powershell.exe, or scripting interpreters.

Monitoring Recommendations

  • Forward WebLogic server, access, and audit logs to a centralized SIEM for retention and correlation.
  • Baseline normal administrative activity by account and source IP, then alert on deviations.
  • Track integrity of config.xml, deployment plans, and the servers/*/security directories within each WebLogic domain.

How to Mitigate CVE-2026-35311

Immediate Actions Required

  • Apply the June 2026 Oracle Critical Patch Update to all WebLogic Server 12.2.1.4.0 and 14.1.2.0.0 instances.
  • Inventory all WebLogic deployments, including those embedded in Oracle Fusion Middleware products, and prioritize internet-facing systems.
  • Restrict network exposure of WebLogic management interfaces to trusted administrative networks only.
  • Rotate credentials for WebLogic accounts and review role assignments after patching.

Patch Information

Oracle published the fix in the June 2026 Critical Patch Update. Review the Oracle Security Alert for the exact patch identifiers, prerequisite bundle patches, and post-installation steps for each supported version.

Workarounds

  • Place WebLogic Administration Console and management endpoints behind a reverse proxy or VPN that enforces source IP allowlisting.
  • Remove or disable unused low-privileged accounts and enforce strong authentication on all remaining accounts.
  • Restrict outbound network access from the WebLogic JVM to required destinations only, limiting post-exploitation options.
  • Where patching must be delayed, isolate affected servers from untrusted networks until the Critical Patch Update is applied.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne