External risk intelligence

Oracle WebCenter Content Takeover Vulnerability via HTTP

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-35316

A vulnerability in Oracle WebCenter Content allows a low-privileged attacker with network access to compromise the system, potentially leading to a full takeover and impacting additional products. This issue is easily exploitable via HTTP and carries a critical severity rating due to its impacts on confidentiality, int

Oracle Webcenter Content

12.2.1.4.014.1.2.0.0

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Oracle WebCenter Content is a content management system and enterprise application platform frequently deployed as a network-accessible web service to support business content workflows, making it a common target for external HTTP-based access in organizational deployments.

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability affects Oracle WebCenter Content, a product used for managing enterprise content and supporting business workflows. If exploited, it could allow unauthorized access and full control of the system, potentially impacting other connected products. The main concern is confirming if your environment is exposed.

A system flaw allows an outsider to take over.
It impacts a core content management system.
Confirm if this system is in use.

Attack Path

How an attacker could exploit the issue

An attacker with low-level network access can exploit this vulnerability by sending specially crafted HTTP requests. This allows them to compromise Oracle WebCenter Content, potentially leading to a full takeover of the system and impacting other connected products.

Network access required.
HTTP request to vulnerable component.
Complete system takeover.

Live Threat

Current exploitation, exposure, and threat context

A low-privileged attacker with network access could compromise Oracle WebCenter Content, potentially impacting additional products. This vulnerability could lead to the full takeover of the affected content management system.

System data and services.
Network access via HTTP.
Takeover of content management system.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Oracle WebCenter Content, accessible via HTTP, could allow a low-privileged attacker to take over the system and impact other integrated products. Ownership likely falls to the platform or application teams responsible for Oracle WebCenter Content. The first step is to identify all instances, confirm network exposure and business criticality, locate the accountable owner, and then plan remediation by risk.

Platform/application owners should manage the issue.
Verify network exposure and business criticality first.
Plan remediation by risk and ownership.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35316 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Oracle WebCenter Content could allow a low-privileged attacker to take over the system. Its critical severity and network-exploitable nature make it relevant for PCI compliance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle WebCenter Content?

Oracle WebCenter Content is a component of Oracle Fusion Middleware designed to manage enterprise documents, digital assets, and business workflows. Organizations use it as a central repository to store, organize, and deliver content across various business applications. Because it often integrates deeply with other enterprise tools, it serves as a critical hub for organizational data management.

What does CVE-2026-35316 mean for the system?

This vulnerability is classified as CWE-284, which concerns improper access control. In plain terms, the software fails to properly restrict what a user can do within the system. Because of this weakness, a low-privileged attacker can bypass security checks to gain unauthorized control over the Content Server, potentially affecting the integrity and availability of the entire application.

How is this vulnerability triggered?

An attacker triggers this flaw by sending specially crafted HTTP requests to the Content Server. The vulnerability requires network access to the target; it cannot be triggered locally without that network path. Crucially, the system is only at risk if it processes these malicious HTTP requests, meaning standard administrative tasks or benign web traffic do not activate the exploit.

Is my system at risk from this vulnerability?

Halo Surface Signal notes that Oracle WebCenter Content is frequently deployed as a network-accessible web service to support business workflows. Because of this, it is commonly exposed to external HTTP-based access. If your instance is reachable over a network where an attacker can send HTTP requests, it is considered externally exposed and carries a higher risk profile.

How do I respond to this threat advisory?

First, inventory your environment to locate all instances of the affected versions, 12.2.1.4.0 and 14.1.2.0.0. Once identified, work with the platform or application teams to verify the network exposure and business criticality of each instance. Use this information to prioritize your remediation efforts based on the risk associated with each specific deployment.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.