CVE-2026-35284 is a critical security vulnerability in the Oracle WebCenter Enterprise Capture component of Oracle Fusion Middleware, specifically affecting versions 12.2.1.4.0 and 14.1.2.0.0. The flaw allows a low privileged attacker with network access via T3 or IIOP protocols to compromise the product, potentially leading to full takeover. The vulnerability has a CVSS 3.1 score of 9.9 with network attack vector, low attack complexity, low privileges required, no user interaction, and scope change, resulting in high impact on confidentiality, integrity, and availability. Oracle's June 2026 Critical Security Patch Update includes patches addressing this vulnerability among 245 others. Oracle strongly recommends applying these patches immediately. Workarounds include blocking the network protocols used for exploitation and removing unnecessary privileges, though these may disrupt normal operations.

Successful exploitation of CVE-2026-35284 can result in complete compromise of Oracle WebCenter Enterprise Capture, including full takeover of the system. The vulnerability affects confidentiality, integrity, and availability with high severity. Additionally, the attack may impact other Oracle products due to scope change. No known exploits in the wild have been reported at the time of publication.

Oracle has released security patches for this vulnerability as part of the June 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches without delay to mitigate the risk. Until patches are applied, risk can be reduced by blocking network protocols T3 and IIOP used for exploitation and by removing unnecessary privileges from users who do not require them. These mitigations may impact application functionality and should be tested accordingly. Patch status is confirmed by the vendor advisory, which provides patch availability documentation.