External risk intelligence

Oracle WebCenter Sites Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-35293

A critical vulnerability exists in Oracle WebCenter Sites, allowing unauthenticated attackers with network access to compromise the entire system. This could lead to a complete takeover, impacting confidentiality, integrity, and availability. Confirm if your Oracle WebCenter Sites deployment is affected and exposed.

Missing Authentication

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Oracle WebCenter Sites is a web-based content management platform typically deployed as a public-facing or externally accessible enterprise web application. As it processes HTTP traffic and is designed to provide web services, it frequently exists within an organization's network perimeter, making it a common target for internet-based exposure.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Oracle WebCenter Sites, an Oracle Fusion Middleware component, could allow an unauthenticated attacker to take over the system remotely. This is a critical issue with a high potential impact on confidentiality, integrity, and availability.

Unauthenticated attackers can fully control affected systems.
This is a critical, remotely exploitable flaw.
Confirm relevance and exposure to Oracle WebCenter Sites.

Attack Path

How an attacker could exploit the issue

An attacker can reach Oracle WebCenter Sites over the network using HTTP. Because no authentication is required, an unauthenticated attacker can compromise the system. Successful attacks can lead to the complete takeover of Oracle WebCenter Sites.

Attacker needs network access.
Vulnerable component is WebCenter Sites.
Risk is complete system takeover.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Oracle WebCenter Sites could allow an unauthenticated attacker with network access to gain complete control of the product, impacting confidentiality, integrity, and availability when supported by the advisory.

Oracle WebCenter Sites system data.
Via network access over HTTP.
Complete takeover of the system.

Operational Fix

Recommended remediation, mitigation, and detection steps

Determining precise ownership requires understanding your specific deployment of Oracle WebCenter Sites. Typically, platform or infrastructure teams manage the core application, while application owners are responsible for its configuration and content. The first step is to identify all instances, confirm their reachability and business criticality, and then engage the accountable owners to plan remediation.

Platform or Infrastructure team ownership.
Verify external reachability and criticality.
Plan risk-based remediation and vendor coordination.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35293 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Oracle WebCenter Sites allows an unauthenticated attacker to compromise the system, posing a significant risk to PCI compliance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle WebCenter Sites?

Oracle WebCenter Sites is a web-based content management platform within the Oracle Fusion Middleware suite. Organizations use it to build, manage, and deliver dynamic websites and web-based customer experiences. It acts as the engine that serves digital content, meaning it must process incoming web traffic to function.

What does CWE-306 mean for CVE-2026-35293?

CWE-306 refers to a Missing Authentication for Critical Function weakness. In the context of CVE-2026-35293, it means the software performs sensitive operations or provides access to system controls without verifying the identity of the person making the request. This allows an unauthorized user to bypass security checks and gain control.

How is this vulnerability triggered?

The vulnerability is triggered when an attacker sends specific HTTP requests to the target system over the network. Because the system fails to authenticate these requests, the attacker can execute commands remotely. Note that this flaw does not require the attacker to have valid user credentials or pre-existing access to the internal network to initiate the attack.

Do I need to worry if my system is internal?

Halo Surface Signal indicates that Oracle WebCenter Sites is typically deployed as a public-facing web application, making internet-based exposure a primary concern. While internal instances are theoretically safer, they remain vulnerable to any actor who gains access to your internal network. You should prioritize instances reachable from the public internet.

When should I start responding to this CVE?

Begin immediately by identifying all instances of WebCenter Sites version 14.1.2.0.0 in your environment. Consult with your platform and infrastructure teams to map which instances are accessible via the network and assess their business importance. Once you have a clear inventory, coordinate with the responsible application owners to plan and apply the necessary vendor updates.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.