External risk intelligence

Oracle WebCenter Content Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.0)

CVE-2026-35320

A critical vulnerability in Oracle WebCenter Content allows an unauthenticated attacker with network access to take over the system, potentially impacting other Oracle Fusion Middleware products.

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Oracle WebCenter Content is a web-based enterprise middleware product designed to manage content and documents. It is frequently deployed as an internet-facing web application or accessible service to support remote collaboration, making it commonly reachable from the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle WebCenter Content, a product used for managing digital content within Oracle Fusion Middleware. Although difficult to exploit, this issue could allow an unauthorized attacker with network access to potentially take over the system, impacting additional products beyond WebCenter Content itself.

Unauthenticated attackers could gain system control.
This affects enterprise content management systems.
Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker with network access could compromise Oracle WebCenter Content by reaching a vulnerable component through HTTP. This vulnerability, although difficult to exploit, could lead to a complete takeover of the affected product, potentially impacting other Oracle Fusion Middleware products.

Attacker needs network access.
Attacker triggers vulnerability via HTTP.
Risk of system takeover.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker with network access to take over Oracle WebCenter Content. Attackers could impact additional products when supported by the advisory.

Oracle WebCenter Content system.
Network access via HTTP.
Complete system takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for addressing this critical vulnerability in Oracle WebCenter Content. The initial focus should be on identifying all instances of the affected product, assessing their reachability and business criticality, and confirming the accountable owner. Subsequently, a risk-based remediation plan can be developed, potentially involving coordination with Oracle.

Application owners should manage the issue.
Verify product reachability and criticality first.
Plan remediation based on risk assessment.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35320 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Oracle WebCenter Content vulnerability allows unauthenticated attackers to take over the system, which would cause a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle WebCenter Content?

It is a middleware component within Oracle Fusion Middleware used by organizations to manage, store, and organize enterprise digital content. It acts as a central repository that supports document lifecycle management and team collaboration, often serving as a critical backend for business applications.

What does CWE-284 mean for CVE-2026-35320?

CWE-284 refers to Improper Access Control. In the context of this vulnerability, it means the system fails to correctly verify or restrict user permissions. Because of this flaw, the software does not properly block unauthorized users from performing sensitive actions, which can ultimately lead to a full system takeover.

How does an attacker trigger this vulnerability?

An attacker triggers this by sending specially crafted HTTP requests to the Content Server component. It requires network connectivity to the targeted service. The vulnerability does not require any prior authentication or user interaction to initiate the attack, though the advisory notes that exploitation is technically difficult to achieve.

Why should I care about CVE-2026-35320?

According to Halo Surface Signal, this software is frequently deployed as an internet-facing application to facilitate remote access. If your instance is reachable from the public internet, it faces a higher likelihood of being targeted. Furthermore, because this is a scope-changing vulnerability, a successful compromise may provide an attacker with a path to impact other connected Fusion Middleware products.

What should I do if I run this software?

Begin by inventorying your environment to locate all instances of WebCenter Content versions 12.2.1.4.0 and 14.1.2.0.0. Once identified, evaluate their network reachability and business criticality. Coordinate with your infrastructure and application teams to assess the risk and prepare for updates or configuration changes provided by Oracle.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.