External risk intelligence

Oracle WebCenter Content Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-35286

A critical vulnerability in Oracle WebCenter Content allows unauthenticated attackers with network access to take over the system. This could severely impact confidentiality, integrity, and availability. Technical readers should assess their exposure to Oracle WebCenter Content to understand the potential risk.

Missing Authentication

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Oracle WebCenter Content is an enterprise content management application. While often deployed behind internal firewalls, it is frequently configured as an externally accessible web application or portal for distributed workforces and partner access, making public-internet-facing deployments a common pattern for this type of service.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle WebCenter Content, an enterprise content management system, which could allow an unauthorized attacker to take over the system remotely. The potential impact on confidentiality, integrity, and availability is severe.

Unauthenticated attackers could gain full control.
Enterprise content management systems are often internet-facing.
Confirm relevance and exposure of Oracle WebCenter Content.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by accessing Oracle WebCenter Content over the network. Once network access is established, the attacker can interact with the vulnerable component, potentially leading to the complete takeover of the system.

Network access required.
Exploitable via HTTP.
Results in system takeover.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Oracle WebCenter Content could allow an attacker with network access to gain complete control of the system. Supported versions of the product are at risk when exposed to the network.

Oracle WebCenter Content system data.
Unauthenticated network access can compromise it.
Complete takeover of the content system.

Operational Fix

Recommended remediation, mitigation, and detection steps

Oracle WebCenter Content ownership typically falls to application or platform teams responsible for content management systems. The first actionable step is to identify all instances of the affected product, determine their business criticality and network exposure, and pinpoint the accountable system owner. A phased remediation plan should then be developed based on assessed risk.

Application or platform teams own the issue.
Verify external reachability and business criticality.
Plan remediation based on risk assessment.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35286 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Oracle WebCenter Content allows unauthenticated attackers to take over the system, potentially causing a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle WebCenter Content?

It is an enterprise content management system within Oracle Fusion Middleware, specifically the Content Server component. Organizations use it to store, manage, and distribute business-critical documents and digital assets. It acts as a central repository that often supports workflows for distributed teams and external partners.

What does CVE-2026-35286 mean for security?

This vulnerability is classified as CWE-306, which relates to a missing authentication for critical function. In plain terms, it means the system fails to verify the identity of a user before allowing access to sensitive operations. Because of this flaw, an attacker can interact with the server as if they were a legitimate user, potentially gaining complete control over the content repository.

How can an attacker trigger this vulnerability?

The vulnerability is triggered when an attacker sends specially crafted HTTP requests to the Content Server component over the network. Because the system lacks the necessary authentication checks, it accepts these requests without credentials. Notably, local access is not required, but the bug is specifically tied to network-based HTTP interaction; it does not trigger through non-network administrative console actions.

Is my system at risk from CVE-2026-35286?

If you are running Oracle WebCenter Content versions 12.2.1.4.0 or 14.1.2.0.0, your system is affected. According to Halo Surface Signal, while these systems are sometimes behind firewalls, they are frequently configured as internet-facing portals to support remote work. If your instance is reachable from the public internet, it faces a higher level of risk compared to those strictly limited to internal networks.

Do I need to take action if I use this software?

Yes. Start by inventorying all instances of the affected versions in your environment. Prioritize identifying which systems are accessible from the network and determine who owns the application, such as your platform or content management team. Once you have a map of your exposure and business criticality, coordinate with your team to establish a formal remediation plan.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.