Description
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Published: 2026-04-21
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Remote Access leading to confidentiality breach
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in Oracle WebLogic Server’s Web Services component allows an unauthenticated attacker with network access via HTTP to compromise the server and unauthorized access to critical data. The impact is limited to confidentiality, with no noted integrity or availability effects. The weakness appears to be an improper access control flaw that permits bypass of authentication checks.

Affected Systems

Affected products are Oracle WebLogic Server from Oracle Corporation. Versions impacted include 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. Users running these versions should verify their installed release and apply vendor advisories.

Risk and Exploitability

This issue carries a CVSS 3.1 Base Score of 7.5, indicating significant confidentiality risk. The EPSS score of <1% indicates a very low but non‑zero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote HTTP traffic from an unauthenticated network source. Successful exploitation could lead to full access to all data the WebLogic Server manages without requiring credentials.

Generated by OpenCVE AI on April 28, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Oracle WebLogic Server patch or upgrade to a fixed version as referenced in the Oracle security advisory
  • Limit network reachability to the WebLogic Server HTTP port to trusted IP ranges or VPN endpoints
  • Enable and monitor audit logging on the WebLogic Server to detect anomalous access patterns

Generated by OpenCVE AI on April 28, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Compromise in Oracle WebLogic Server

Tue, 28 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Exploitation Allows Unauthorized Data Access in Oracle WebLogic Server Web Services
Weaknesses CWE-285

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Exploitation Allows Unauthorized Data Access in Oracle WebLogic Server Web Services
Weaknesses CWE-285

Wed, 22 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Access Vulnerability in Oracle WebLogic Server
Weaknesses CWE-284

Wed, 22 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Access Vulnerability in Oracle WebLogic Server
Weaknesses CWE-284

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
First Time appeared Oracle
Oracle weblogic Server
CPEs cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:weblogic_server:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle weblogic Server
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Oracle Weblogic Server
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-04-22T13:24:18.012Z

Reserved: 2026-03-26T19:48:45.679Z

Link: CVE-2026-34305

cve-icon Vulnrichment

Updated: 2026-04-22T13:24:06.589Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-21T21:16:35.850

Modified: 2026-04-24T14:27:13.867

Link: CVE-2026-34305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T21:30:26Z

Weaknesses