This vulnerability affects Oracle WebLogic Server's Web Services component across multiple supported versions. It enables an unauthenticated attacker with network access to exploit the system via HTTP, contingent on user interaction from someone other than the attacker. The vulnerability allows unauthorized modification of critical data or all data accessible by the server, impacting data integrity without affecting confidentiality or availability. The CVSS 3.1 base score is 6.5, reflecting medium severity with low attack complexity and no privileges required but requiring user interaction. Oracle has addressed this vulnerability in their April 2026 Critical Patch Update, which includes 481 security patches across various products including Fusion Middleware. The vendor strongly recommends applying these patches without delay to prevent exploitation.

Successful exploitation can result in unauthorized creation, deletion, or modification of critical or all accessible data within Oracle WebLogic Server, impacting data integrity. There is no direct impact on confidentiality or availability reported. The vulnerability requires user interaction from a person other than the attacker, which may limit exploitation scenarios. No known exploits in the wild have been reported at this time.

Oracle has released security patches addressing this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products, including Oracle WebLogic Server. Customers should apply these official patches promptly to remediate the vulnerability. Oracle strongly advises remaining on actively supported versions and applying Critical Patch Updates without delay. Patch status is confirmed by the vendor advisory. No alternative mitigations or workarounds are specified in the advisory.