Description
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-04-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution and Server Takeover
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in Oracle WebLogic Server enables a high‑privileged attacker who can reach the server over HTTP to compromise the entire instance. The flaw allows the attacker to gain full control, compromising confidentiality, integrity, and availability of the application server. The flaw also represents an improper access control issue (CWE‑284) that allows unauthorized high privilege access.

Affected Systems

Oracle WebLogic Server versions 12.2.1.4.0 and 14.1.1.0.0 are affected. These releases are part of Oracle Fusion Middleware and are used to host enterprise web applications.

Risk and Exploitability

The CVSS 3.1 score of 7.2 indicates moderate‑to‑high severity. The EPSS score is < 1%, indicating a very low but non‑zero probability of exploitation, while the network‑based vector (AV:N) means anyone with network access could attempt an attack. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the attack enables a remote attacker to gain high‑level privileges and take over the WebLogic Server, compromising confidentiality, integrity, and availability.

Generated by OpenCVE AI on April 28, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify the WebLogic Server version running on all production systems and verify whether it matches the affected releases (12.2.1.4.0 or 14.1.1.0.0).
  • Download and apply the patch or upgrade to a non‑affected version provided in Oracle’s April 2026 CPU advisory.
  • Restrict inbound HTTP traffic to the WebLogic Server by enforcing firewall rules or moving the server behind an application proxy, and require strong authentication before allowing any HTTP connections.

Generated by OpenCVE AI on April 28, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title High Privilege WebLogic Server Compromise via HTTP

Mon, 27 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Title High‑Privilege Remote Code Execution in Oracle WebLogic Server via HTTP
Weaknesses CWE-360
CWE-502

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Title High‑Privilege Remote Code Execution in Oracle WebLogic Server via HTTP
Weaknesses CWE-360
CWE-502

Wed, 22 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Title Remote Server Takeover via HTTP in Oracle WebLogic Server
Weaknesses CWE-287
CWE-94

Wed, 22 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
Title Remote Server Takeover via HTTP in Oracle WebLogic Server
Weaknesses CWE-287
CWE-94

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-23T03:55:48.264Z

Reserved: 2026-03-26T19:48:45.677Z

Link: CVE-2026-34292

cve-icon Vulnrichment

Updated: 2026-04-22T13:45:45.444Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:34.087

Modified: 2026-04-23T18:47:55.460

Link: CVE-2026-34292

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:30:26Z

Weaknesses