Description
Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Client Bundle component of Oracle WebCenter Enterprise Capture and can be exploited by a low‑privileged attacker who has network connectivity to the T3 or IIOP interfaces. Attackers can manipulate requests to gain full control over the application, leading to a complete takeover. Successful exploitation results in full loss of confidentiality, integrity, and availability for the affected Oracle WebCenter Enterprise Capture environment.

Affected Systems

Affected releases include Oracle WebCenter Enterprise Capture 12.2.1.4.0 and 14.1.2.0.0. The impact extends beyond the capture product; because the flaw modifies access control, other components of Oracle Fusion Middleware that interact with the capture service may also be compromised.

Risk and Exploitability

The CVSS 3.1 score of 9.9 places this flaw in the critical range. The EPSS score of <1% indicates a very low likelihood of exploitation in the wild, yet the absence of a KEV listing does not diminish the risk for organizations still running unpatched versions. Attackers could achieve remote takeover with minimal effort, and the scope change means that compromise of WebCenter could cascade to other Fusion Middleware products. Organizations should treat this as a high-priority patching event.

Generated by OpenCVE AI on June 17, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the Oracle WebCenter Enterprise Capture security patch released in June 2026 as documented in Oracle's security advisory link
  • Configure firewalls to allow inbound traffic on the T3 and IIOP ports only from trusted IP ranges, or use VPN or bastion hosts to isolate the capture service from untrusted networks
  • After patching, run vulnerability scans and targeted penetration testing against the T3/IIOP interfaces to confirm that the flaw has been eliminated and that no related weaknesses remain

Generated by OpenCVE AI on June 17, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation and Remote Compromise via T3/IIOP in Oracle WebCenter Enterprise Capture
Weaknesses CWE-200
CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Enterprise Capture product of Oracle Fusion Middleware (component: Client Bundle). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via T3, IIOP to compromise Oracle WebCenter Enterprise Capture. While the vulnerability is in Oracle WebCenter Enterprise Capture, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Enterprise Capture. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Enterprise Capture
CPEs cpe:2.3:a:oracle:webcenter_enterprise_capture:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_enterprise_capture:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Enterprise Capture
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Enterprise Capture
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T13:39:13.215Z

Reserved: 2026-04-01T20:03:40.836Z

Link: CVE-2026-35284

cve-icon Vulnrichment

Updated: 2026-06-17T13:39:07.810Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:56Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control