External risk intelligence

Oracle WebCenter Sites Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-35296

A critical vulnerability in Oracle WebCenter Sites, a web content management product, allows unauthenticated attackers with network access to achieve complete system takeover. This issue impacts confidentiality, integrity, and availability.

Missing Authentication

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Oracle WebCenter Sites is a web-based content management platform that serves as a public-facing web application. By design, such enterprise content management systems often handle web traffic directly or reside on the network edge to facilitate content delivery, making them frequently reachable via the public internet in standard deployment patterns.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle WebCenter Sites, a product used for managing web content. This issue, if exploited, could allow an attacker to take complete control of the affected system without needing any prior access. The severity of this vulnerability is high, impacting confidentiality, integrity, and availability.

Unauthenticated attackers could gain full control.
Business functions may be compromised.
Confirm relevance and exposure to Oracle WebCenter Sites.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker with network access can exploit this vulnerability to gain full control of Oracle WebCenter Sites. The attacker initiates the attack by sending a request over HTTP to the vulnerable component. Successful exploitation allows the attacker to compromise the confidentiality, integrity, and availability of the system.

Network access required.
Vulnerable component triggered via HTTP.
Complete system takeover possible.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker with network access to take over Oracle WebCenter Sites, impacting confidentiality, integrity, and availability.

Oracle WebCenter Sites product.
Unauthenticated network access.
Complete system takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Oracle WebCenter Sites product, a component of Oracle Fusion Middleware, is vulnerable, potentially impacting application owners and infrastructure teams responsible for its management. The initial step involves identifying all instances of this product, assessing their network reachability and business criticality, and then locating the accountable owner to plan remediation based on the identified risk.

Application owners should own the issue.
Verify network reachability and business criticality.
Plan remediation based on risk assessment.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35296 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Oracle WebCenter Sites allows remote takeover, which would likely cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle WebCenter Sites?

Oracle WebCenter Sites is a web-based content management platform used by organizations to create, manage, and deliver online experiences. As a core component of Oracle Fusion Middleware, it helps businesses structure and serve dynamic website content to their users.

What does CVE-2026-35296 mean for my system?

This vulnerability is classified as CWE-306, which refers to a lack of authentication required for a critical function. In plain terms, it means the software fails to verify who is sending a request, allowing an unauthorized user to perform sensitive actions as if they were a trusted administrator.

How can an attacker trigger this vulnerability?

An attacker can trigger this issue by sending a specially crafted HTTP request to the target system. Because the software does not properly check for authentication, no special preconditions, such as existing login credentials or prior access to the network, are required to initiate the attack.

Why should I care about this vulnerability?

Halo Surface Signal indicates that Oracle WebCenter Sites is often deployed as a public-facing web application. Since it frequently sits on the network edge to deliver content, it is highly likely to be reachable from the internet, increasing the importance of addressing this flaw if your instance is network-accessible.

What are the first steps to handle CVE-2026-35296?

Begin by creating an inventory of all Oracle WebCenter Sites instances across your environment. Once identified, evaluate the network reachability and business criticality of each system to determine the level of risk, then work with the accountable application owners to prioritize and plan your response.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.