CVE-2026-46848: Oracle WebLogic Server Auth Bypass Flaw

CVE-2026-46848 Overview

CVE-2026-46848 affects the Console component of Oracle WebLogic Server, part of Oracle Fusion Middleware. The flaw impacts versions 14.1.2.0.0 and 15.1.1.0.0. A low-privileged attacker with local logon to the infrastructure running WebLogic Server can exploit this vulnerability when a separate user performs an interactive action. Successful exploitation results in unauthorized read, modification, deletion, or creation of all WebLogic Server accessible data. The vulnerability carries a scope change, meaning impact may extend beyond WebLogic Server itself to additional products in the environment. Oracle published the fix in the June 2026 Critical Patch Update.

Critical Impact
Authenticated local attackers can compromise confidentiality and integrity of all WebLogic Server data and pivot impact to additional Fusion Middleware components through scope change.

Affected Products

Oracle WebLogic Server 14.1.2.0.0
Oracle WebLogic Server 15.1.1.0.0
Oracle Fusion Middleware deployments using the WebLogic Console

Discovery Timeline

2026-06-17 - CVE-2026-46848 published to NVD
2026-06-17 - Oracle releases security patch in the June 2026 Critical Patch Update
2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-46848

Vulnerability Analysis

The vulnerability resides in the WebLogic Server Console component, the administrative web interface used to manage server domains, deployments, and resources. The weakness is classified under [CWE-284] Improper Access Control. An attacker who already holds a low-privileged local account on the host where WebLogic Server runs can leverage the Console to perform actions that should be restricted. Exploitation requires user interaction from another party, which suggests a vector consistent with tricking a privileged administrator into rendering or acting on attacker-controlled Console content. The scope change indicates that the exploited Console process can affect resources outside its security authority, including downstream Fusion Middleware components and connected data stores. Successful attacks yield complete read and write access to data the WebLogic Server can reach.

Root Cause

The Console component fails to properly enforce access control checks on certain administrative operations. Per Oracle's advisory, the precise sink is not disclosed, but the CWE-284 mapping indicates that authorization logic does not adequately restrict what a low-privileged authenticated user can submit or cause to be executed when an administrator interacts with the Console.

Attack Vector

The attack vector is local, requiring an authenticated foothold on the host running WebLogic Server. The attacker stages content or a request through the Console that triggers when a higher-privileged user performs an action such as opening a Console page or approving a workflow. Because the scope changes, the privileges abused exceed those granted to the low-privileged attacker, allowing manipulation of all WebLogic-accessible data.

No verified public proof-of-concept code is available. Refer to the Oracle Security Alert for vendor-supplied technical context.

Detection Methods for CVE-2026-46848

Indicators of Compromise

Unexpected modifications to WebLogic domain configuration files, JDBC data sources, or deployed applications without corresponding change tickets.
Console access log entries showing low-privileged accounts issuing administrative operations or accessing pages outside their normal role.
New or modified MBean attributes, security realms, or user role mappings made during sessions initiated by non-administrative users.

Detection Strategies

Audit AdminServer.log, access.log, and audit provider logs for Console requests originating from accounts that should not perform administrative operations.
Correlate local logon events on WebLogic hosts with subsequent Console activity to identify low-privileged users initiating sensitive workflows.
Monitor process creation under the WebLogic Java process for unexpected child processes or file writes to domain directories.

Monitoring Recommendations

Forward WebLogic audit, access, and server logs to a centralized SIEM with alerting on privilege-sensitive Console endpoints.
Enable Oracle WebLogic auditing providers at the Success and Failure severity to capture authorization decisions.
Track integrity of config.xml, deployment plans, and security policy files using file integrity monitoring.

How to Mitigate CVE-2026-46848

Immediate Actions Required

Apply the Oracle June 2026 Critical Patch Update to all WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 deployments.
Restrict local logon rights on WebLogic hosts to administrators and required service accounts only.
Review and reduce Console-accessible accounts, removing dormant or excessive low-privileged users.
Rotate WebLogic administrative credentials and session tokens after patching.

Patch Information

Oracle addressed CVE-2026-46848 in the June 2026 Critical Patch Update. Customers should download and apply the corresponding patches for WebLogic Server 14.1.2.0.0 and 15.1.1.0.0 as documented in the Oracle Security Alert. Patch deployment requires a server restart and should be validated in a staging domain before production rollout.

Workarounds

Restrict network and local access to the WebLogic Administration Console to a dedicated management network or jump host.
Disable the Administration Console in production domains where it is not actively required by setting the Console Enabled domain attribute to false.
Enforce multi-factor authentication on bastion hosts that provide access to WebLogic infrastructure.
Limit which administrators interact with Console pages until the patch is applied to reduce the user-interaction component of the attack chain.

bash

# Disable the WebLogic Administration Console via WLST
connect('weblogic','<password>','t3://adminhost:7001')
edit()
startEdit()
cd('/')
cmo.setConsoleEnabled(false)
save()
activate()
disconnect()
exit()