CVE-2026-35327 - Vulnerability Details

Description

Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 7.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N).

Published: 2026-06-16

Score: 7.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A low‑sophistication vulnerability in Oracle WebCenter Content’s Content Server component is due to improper access control (CWE‑284) that allows an attacker with low privileges and network access over HTTPS to read or modify restricted data. The flaw results in high confidentiality impact, moderate integrity loss, and, because the scope changes, complete control over all accessible content for the compromised account.

Affected Systems

Oracle WebCenter Content, versions 12.2.1.4.0 and 14.1.2.0.0, are impacted. These versions are distributed as part of Oracle Fusion Middleware and include the identified vulnerability.

Risk and Exploitability

The CVSS 3.1 base score is 7.6, indicating moderate to high severity. The EPSS score is less than 1%, showing low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be able to reach the server over HTTPS, possess low‑privileged credentials, and an innocent user must interact with the system. Successful exploitation can lead to unauthorized data disclosure or modification over the affected range.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle WebCenter Content

affected

Version	Status	Constraints
`12.2.1.4.0`	affected	—
`14.1.2.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Webcenter Content

95%

Version	Status	Scheme	Platform
`12.2.1.4.0`	affected	generic	—
`14.1.2.0.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor’s latest patch for WebCenter Content 12.2.1.4.0 or 14.1.2.0.0 as soon as available
Restrict external HTTPS access to the Content Server by implementing network segmentation and firewall rules
Enforce strong authentication and, where possible, require multi‑factor authentication for all WebCenter Content users
Regularly review access control configurations to ensure least‑privilege principles are maintained

Generated by OpenCVE AI on June 17, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00284.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle WebCenter Content product of Oracle Fusion Middleware (component: Content Server). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebCenter Content. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebCenter Content, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebCenter Content accessible data as well as unauthorized update, insert or delete access to some of Oracle WebCenter Content accessible data. CVSS 3.1 Base Score 7.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N).
First Time appeared		Oracle Oracle webcenter Content
CPEs		cpe:2.3:a:oracle:webcenter_content:12.2.1.4.0:::::::* cpe:2.3:a:oracle:webcenter_content:14.1.2.0.0:::::::*
Vendors & Products		Oracle Oracle webcenter Content
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}`

Subscriptions

Oracle Webcenter Content

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:12.874Z

Updated: 2026-06-17T15:35:38.959Z

Reserved: 2026-04-01T20:03:40.838Z

Link: CVE-2026-35327

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T00:00:10Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object