CVE-2026-35292: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. in Oracle Corporation WebLogic Server
CVE-2026-35292 is a critical vulnerability in Oracle WebLogic Server affecting versions 14.1.2.0.0 and 15.1.1.0.0. It allows an unauthenticated attacker with network access via HTTP to fully compromise the WebLogic Server, potentially leading to complete takeover. The vulnerability impacts confidentiality, integrity, and availability with a CVSS score of 10.0. Oracle has published a Critical Security Patch Update advisory recommending immediate patching. No explicit patch version is stated in the provided data, but Oracle strongly urges applying the June 2026 Critical Security Patch Update. Until patched, risk can be mitigated by blocking required network protocols or restricting privileges, though these may affect functionality.
AI Analysis
Technical Summary
CVE-2026-35292 is an easily exploitable vulnerability in the Console component of Oracle WebLogic Server versions 14.1.2.0.0 and 15.1.1.0.0. It allows unauthenticated remote attackers to compromise the server via HTTP, resulting in full takeover with high impact on confidentiality, integrity, and availability (CVSS 3.1 base score 10.0). The vulnerability also has scope change implications, potentially affecting additional Oracle products. Oracle’s June 2026 Critical Security Patch Update advisory addresses this and numerous other vulnerabilities, strongly recommending immediate patch application. No specific patch version is explicitly stated in the advisory content provided. Mitigation options include blocking attack vectors at the network level or reducing privileges, though these may disrupt normal operations.
Potential Impact
Successful exploitation of this vulnerability results in complete compromise of Oracle WebLogic Server, including full control over the server. This affects confidentiality, integrity, and availability of the system. Due to scope change, other Oracle products relying on WebLogic Server may also be impacted. The vulnerability is remotely exploitable without authentication over HTTP, increasing the risk of widespread exploitation if unpatched.
Mitigation Recommendations
Oracle strongly recommends applying the June 2026 Critical Security Patch Update immediately to remediate this vulnerability. The vendor advisory does not specify a particular patch version but emphasizes timely patching of supported versions. Until patches are applied, risk can be reduced by blocking network protocols required for exploitation or by restricting privileges and access to vulnerable components, though these measures may impact application functionality. Patch status is not explicitly confirmed in the advisory content provided; users should consult the Oracle advisory URL for the latest remediation details.
CVE-2026-35292: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise WebLogic Server. While the vulnerability is in WebLogic Server, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of WebLogic Server. in Oracle Corporation WebLogic Server
Description
CVE-2026-35292 is a critical vulnerability in Oracle WebLogic Server affecting versions 14.1.2.0.0 and 15.1.1.0.0. It allows an unauthenticated attacker with network access via HTTP to fully compromise the WebLogic Server, potentially leading to complete takeover. The vulnerability impacts confidentiality, integrity, and availability with a CVSS score of 10.0. Oracle has published a Critical Security Patch Update advisory recommending immediate patching. No explicit patch version is stated in the provided data, but Oracle strongly urges applying the June 2026 Critical Security Patch Update. Until patched, risk can be mitigated by blocking required network protocols or restricting privileges, though these may affect functionality.
CVSS v3.1
Score 10.0critical
Affected software
pkg:maven/com.oracle.weblogic/weblogic-serverRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35292 is an easily exploitable vulnerability in the Console component of Oracle WebLogic Server versions 14.1.2.0.0 and 15.1.1.0.0. It allows unauthenticated remote attackers to compromise the server via HTTP, resulting in full takeover with high impact on confidentiality, integrity, and availability (CVSS 3.1 base score 10.0). The vulnerability also has scope change implications, potentially affecting additional Oracle products. Oracle’s June 2026 Critical Security Patch Update advisory addresses this and numerous other vulnerabilities, strongly recommending immediate patch application. No specific patch version is explicitly stated in the advisory content provided. Mitigation options include blocking attack vectors at the network level or reducing privileges, though these may disrupt normal operations.
Potential Impact
Successful exploitation of this vulnerability results in complete compromise of Oracle WebLogic Server, including full control over the server. This affects confidentiality, integrity, and availability of the system. Due to scope change, other Oracle products relying on WebLogic Server may also be impacted. The vulnerability is remotely exploitable without authentication over HTTP, increasing the risk of widespread exploitation if unpatched.
Mitigation Recommendations
Oracle strongly recommends applying the June 2026 Critical Security Patch Update immediately to remediate this vulnerability. The vendor advisory does not specify a particular patch version but emphasizes timely patching of supported versions. Until patches are applied, risk can be reduced by blocking network protocols required for exploitation or by restricting privileges and access to vulnerable components, though these measures may impact application functionality. Patch status is not explicitly confirmed in the advisory content provided; users should consult the Oracle advisory URL for the latest remediation details.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-04-01T20:03:40.836Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b5f60b89be6888265366
Added to database: 6/16/2026, 8:45:42 PM
Last enriched: 6/17/2026, 12:00:57 AM
Last updated: 6/17/2026, 4:59:34 AM
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.