CVE-2026-34305 - Vulnerability Details

- Unauthenticated Remote Access Vulnerability in Oracle WebLogic Server

Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Published: 2026-04-21

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in Oracle WebLogic Server’s Web Services component allows an unauthenticated attacker with network access via HTTP to compromise the server and gain unauthorized access to critical data. The impact is limited to confidentiality, with no noted integrity or availability effects. The weakness appears to be an improper access control flaw that permits bypass of authentication checks.

Affected Systems

Affected products are Oracle WebLogic Server from Oracle Corporation. Versions impacted include 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. Users running these versions should verify their installed release and apply vendor advisories.

Risk and Exploitability

This issue carries a CVSS 3.1 Base Score of 7.5, indicating significant confidentiality risk. The EPSS score is not available for this entry and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote HTTP traffic from an unauthenticated network source. Successful exploitation could lead to full access to all data the WebLogic Server manages without requiring credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle WebLogic Server

affected

Version	Status	Constraints
`12.2.1.4.0`	affected	—
`14.1.1.0.0`	affected	—
`14.1.2.0.0`	affected	—
`15.1.1.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Weblogic Server

95%

Version	Status	Scheme	Platform
`12.2.1.4.0`	affected	generic	—
`14.1.1.0.0`	affected	generic	—
`14.1.2.0.0`	affected	generic	—
`15.1.1.0.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official Oracle WebLogic Server patch or upgrade to a fixed version as referenced in the Oracle security advisory
Limit network reachability to the WebLogic Server HTTP port to trusted IP ranges or VPN endpoints
Enable and monitor audit logging on the WebLogic Server to detect anomalous access patterns

Generated by OpenCVE AI on April 22, 2026 at 02:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cpuapr2026.html

History

Wed, 22 Apr 2026 02:45:00 +0000

Type	Values Removed	Values Added
Title		Unauthenticated Remote Access Vulnerability in Oracle WebLogic Server
Weaknesses		CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
First Time appeared		Oracle Oracle weblogic Server
CPEs		cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:::::::* cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:::::::* cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:::::::* cpe:2.3:a:oracle:weblogic_server:15.1.1.0.0:::::::*
Vendors & Products		Oracle Oracle weblogic Server
References		https://www.oracle.com/security-alerts/cpuapr2026.html
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Oracle Weblogic Server

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-04-21T20:35:33.685Z

Updated: 2026-04-21T20:35:33.685Z

Reserved: 2026-03-26T19:48:45.679Z

Link: CVE-2026-34305

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-21T21:16:35.850

Modified: 2026-04-21T21:16:35.850

Link: CVE-2026-34305

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-22T02:30:05Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object