Description
Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Access Control flaw (CWE‑284) in Oracle WebCenter Content’s Content Server component. A low‑privileged attacker who can reach the application over HTTP can bypass authorization checks and fully compromise the system, leading to potential takeover of the WebCenter Content application. The CVSS 3.1 Base Score of 9.9 indicates maximum impact on confidentiality, integrity, and availability.

Affected Systems

The affected systems are Oracle Corporation’s WebCenter Content product, specifically the Content Server component. Versions 12.2.1.4.0 and 14.1.2.0.0 are enumerated as vulnerable; these versions may also expose additional Oracle Fusion Middleware products due to the scope change outlined in the advisory.

Risk and Exploitability

The CVSS base score of 9.9 and a network attack vector with low complexity and low privilege suggest that the vulnerability is highly severe yet relatively easy for an attacker to exploit. The EPSS score of less than 1% indicates that, despite the high severity, current exploit activity is low, and the vulnerability is not listed in the CISA KEV catalog. However, the combination of HTTP accessibility, lack of user interaction, and scope change implies that a remote attacker could execute an exploit and gain full control over the application if they can reach the target network interface. The risk is significant for organizations currently running the affected versions and must be addressed promptly.

Generated by OpenCVE AI on June 17, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle WebCenter Content patch supplied in the June 2026 security advisory to versions 12.2.1.4.0 and 14.1.2.0.0.
  • Restrict outbound and inbound HTTP access to the WebCenter Content interface to trusted IP ranges or VPN tunnels.
  • Disable any unused management or administrative interfaces on the WebCenter Content servers to reduce the attack surface.

Generated by OpenCVE AI on June 17, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Oracle WebCenter Content Remote Takeover via Improper Access Control
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter Content. While the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Content. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle webcenter Content
CPEs cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:webcenter_content:14.1.2.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle webcenter Content
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Webcenter Content
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-19T03:55:37.127Z

Reserved: 2026-04-01T20:03:40.837Z

Link: CVE-2026-35323

cve-icon Vulnrichment

Updated: 2026-06-17T15:25:29.025Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T22:30:13Z

Weaknesses