External risk intelligence

Oracle WebCenter Content Privilege Escalation Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-35270

A critical vulnerability in Oracle WebCenter Content allows a high-privileged attacker with network access via HTTP to compromise the system, potentially leading to a complete takeover. While the vulnerability resides in WebCenter Content, successful exploitation could impact additional products. This issue is relevant

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Oracle WebCenter Content is a web-based enterprise content management system. These platforms are commonly deployed as internet-facing or extranet-facing web applications to facilitate document access and collaboration, making the HTTP-based interface a common point of network exposure.

Horizon Alert

Summary of the vulnerability and why it matters

This CVE describes a critical vulnerability in Oracle WebCenter Content, a product within Oracle Fusion Middleware. An attacker with high privileges and network access could potentially compromise the system, leading to a complete takeover. The impact could extend beyond WebCenter Content to other connected products.

A serious flaw affects Oracle WebCenter Content.
Compromise could lead to full system takeover.
Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with high privileges and network access can exploit this vulnerability through HTTP. The attack targets the Oracle WebCenter Content Server component. Successful exploitation could lead to a complete takeover of Oracle WebCenter Content, potentially impacting other connected products.

Requires high privileges and network access.
Exploits the Content Server component.
Leads to takeover of affected content.

Live Threat

Current exploitation, exposure, and threat context

A high-privileged attacker with network access could compromise Oracle WebCenter Content, potentially impacting additional products. This vulnerability, when supported by the advisory, could lead to a complete takeover of the Oracle WebCenter Content system.

Oracle WebCenter Content system data.
Network access via HTTP.
Takeover of Oracle WebCenter Content.

Operational Fix

Recommended remediation, mitigation, and detection steps

Given that this vulnerability affects Oracle WebCenter Content, the primary responsibility likely lies with the application owners and potentially the platform or infrastructure teams managing the Oracle Fusion Middleware environment. The initial step should be to identify all instances of Oracle WebCenter Content, determine their accessibility, assess their criticality to business operations, and confirm the accountable owner before planning remediation efforts.

Application and platform teams own the issue.
Verify all WebCenter Content instances.
Plan remediation based on risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35270 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Oracle WebCenter Content vulnerability allows a high-privileged attacker to take over the system via HTTP, potentially causing a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle WebCenter Content?

It is a central component of Oracle Fusion Middleware used by organizations to manage enterprise documents, digital assets, and collaborative content workflows. It functions as a web-based repository, allowing users to store, retrieve, and manage content across the enterprise, often serving as a critical backend for business processes.

What does CVE-2026-35270 mean in plain English?

This vulnerability falls under the category of Improper Access Control (CWE-284). It represents a significant security weakness where the software fails to properly restrict the actions of an authenticated user. In this specific case, the flaw allows an attacker who already possesses high-level administrative privileges to bypass security boundaries, potentially granting them total control over the Content Server system.

How is this vulnerability triggered?

An attacker must already have high-level administrative credentials to initiate an attack. They connect to the target system over the network using HTTP to interact with the Content Server component. It is important to note that this is not a guest or unauthenticated attack; the flaw relies on abusing existing elevated permissions rather than simply guessing a password or finding an open door.

Is my system at risk if it is not on the internet?

Halo Surface Signal indicates that Oracle WebCenter Content is frequently deployed as an internet-facing or extranet-facing application to support remote collaboration. While internet-facing instances have the highest risk, internal systems remain vulnerable to any attacker with access to your internal network. You should prioritize instances based on their reachability.

What steps should I take if I use this software?

First, locate and inventory all deployed instances of Oracle WebCenter Content versions 12.2.1.4.0 and 14.1.2.0.0 within your environment. Identify the application owners responsible for these systems and coordinate with them to assess their criticality. Monitor official Oracle security communications to identify and apply the necessary patches or configuration changes provided by the vendor to address this flaw.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.