Description
Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
Published: 2026-01-20
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data modification and disclosure
Action: Immediate Patch
AI Analysis

Impact

The vulnerability discovered in the Oracle HTTP Server and the Weblogic Server Proxy Plug‑in allows an unauthenticated attacker who can reach the server via HTTP to create, delete, or modify critical data, and to access all information exposed by the server. It effectively undermines both confidentiality and integrity, permitting a privileged level of access to sensitive information and the potential to tamper with the system’s data. The flaw resides in an authorization control weakness that permits these actions without requiring valid credentials.

Affected Systems

Oracle HTTP Server versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0, as well as the Weblogic Server Proxy Plug‑in for Apache HTTP Server and for IIS. The IIS plug‑in is affected only in version 12.2.1.4.0, while the Apache plug‑in versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0 are all vulnerable.

Risk and Exploitability

The CVSS base score of 10.0 indicates a critical risk level, with the vector describing a local access complexity that is low, no privilege or user interaction required, and a change of scope that expands the impact from the individual component to the broader Oracle Fusion Middleware environment. The current EPSS score is reported as less than 1%, suggesting that exploitation is unlikely at present, but the vulnerability is not listed in the CISA KEV catalog. Nonetheless, because the flaw can be leveraged from any machine that can reach the HTTP interface, the potential for a disruptive data breach remains high, and the lack of authentication requirements makes the attack path straightforward.

Generated by OpenCVE AI on April 18, 2026 at 04:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Acquire and install the January 2026 CPU update for the affected Oracle HTTP Server and Weblogic Server Proxy Plug‑in version(s) as detailed in Oracle’s official security alert document.
  • If the Weblogic Server Proxy Plug‑in for IIS is in use, update it to the fixed version provided by Oracle; only version 12.2.1.4.0 is affected for IIS, but all newer releases incorporate the fix for the plug‑in.
  • Disable the Weblogic Server Proxy Plug‑in if it is not required, or restrict HTTP traffic to the server using firewall rules to limit access to trusted hosts until the update is applied.

Generated by OpenCVE AI on April 18, 2026 at 04:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Data Modification via Unauthenticated HTTP Access in Oracle HTTP Server and Weblogic Proxy Plug‑in

Mon, 02 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
References

Thu, 29 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Oracle http Server
Oracle weblogic Server Proxy Plug-in
CPEs cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle http Server
Oracle weblogic Server Proxy Plug-in

Wed, 28 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 26 Jan 2026 21:30:00 +0000

Type Values Removed Values Added
References

Mon, 26 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
References

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).
First Time appeared Oracle
Oracle http Server Oracle Weblogic Server Proxy Plug-in
CPEs cpe:2.3:a:oracle:http_server__oracle_weblogic_server_proxy_plug-in:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server__oracle_weblogic_server_proxy_plug-in:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:http_server__oracle_weblogic_server_proxy_plug-in:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle http Server Oracle Weblogic Server Proxy Plug-in
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Oracle Http Server Http Server Oracle Weblogic Server Proxy Plug-in Weblogic Server Proxy Plug-in
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-02-02T23:05:30.157Z

Reserved: 2026-01-05T18:07:34.714Z

Link: CVE-2026-21962

cve-icon Vulnrichment

Updated: 2026-01-21T15:50:26.853Z

cve-icon NVD

Status : Modified

Published: 2026-01-20T22:15:59.110

Modified: 2026-02-03T00:16:10.653

Link: CVE-2026-21962

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses