This vulnerability in Oracle WebLogic Server's Web Services component allows an unauthenticated attacker to exploit the server over HTTP, requiring human interaction from a user other than the attacker. The attack can result in unauthorized modification of critical data or any data accessible by the server. Affected versions include 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The CVSS 3.1 vector indicates network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. Oracle's April 2026 Critical Patch Update addresses this vulnerability among others and urges customers to apply patches promptly to mitigate risk.

Successful exploitation can lead to unauthorized creation, deletion, or modification of critical or all accessible data on the affected Oracle WebLogic Server instances. This impacts data integrity but does not affect confidentiality or availability according to the CVSS vector. The vulnerability requires user interaction from a person other than the attacker, which may limit automated exploitation. No known exploits in the wild have been reported at the time of publication.

Oracle has released patches for this vulnerability as part of the April 2026 Critical Patch Update for Fusion Middleware products, which includes Oracle WebLogic Server. Customers are strongly advised to apply these patches without delay to remediate the vulnerability. Since this is not a cloud service, patching must be performed by the customer. No vendor advisory states that no action is required or that the issue is already mitigated without patching. Patch status is confirmed via the Oracle advisory at https://www.oracle.com/security-alerts/cpuapr2026.html. Users should review this advisory for detailed patch availability and installation instructions.