External risk intelligence

Oracle WebCenter Content Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-35321

A critical vulnerability in Oracle WebCenter Content allows a low-privileged attacker with network access to take over the system. This issue, affecting Oracle Fusion Middleware, could also impact other products. Readers should verify if their organization uses Oracle WebCenter Content and assess potential exposure.

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Oracle WebCenter Content is a server-side enterprise application typically deployed as an accessible web service or portal. While it often sits behind an organization's perimeter, its role as a centralized content management system frequently involves exposure to internal users or partners via web interfaces, making network-based reachability a common deployment characteristic.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle WebCenter Content, a component of Oracle Fusion Middleware. This issue could allow an attacker with limited access to gain control of the system, potentially impacting other connected products. The primary concern is to confirm if your organization utilizes this specific Oracle product and assess any potential exposure.

Allows unauthorized system control.
Impacts Oracle WebCenter Content systems.
Verify relevance and assess exposure.

Attack Path

How an attacker could exploit the issue

An attacker with network access and low-level privileges can target Oracle WebCenter Content. This vulnerability, residing in the Content Server component, could allow an attacker to gain complete control over the Oracle WebCenter Content system. The impact can extend to other connected products.

Network access, low privileges required.
HTTP request to the Content Server component.
Takeover of Oracle WebCenter Content.

Live Threat

Current exploitation, exposure, and threat context

A critical vulnerability in Oracle WebCenter Content could allow a low-privileged attacker with network access to take over the entire system. This could impact not only Oracle WebCenter Content but potentially other connected products due to the vulnerability's scope.

System takeover of Oracle WebCenter Content.
Network access by low-privileged attacker.
Compromise of confidentiality, integrity, and availability.

Operational Fix

Recommended remediation, mitigation, and detection steps

Given that Oracle WebCenter Content is affected, platform or application owners are likely responsible for addressing this vulnerability. The first practical step is to identify all instances of this product within your environment, determine their exposure and business criticality, and then locate the accountable owner to plan remediation.

Identify accountable owners and scope.
Verify network reachability and criticality.
Plan remediation based on risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35321 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Oracle WebCenter Content allows a low-privileged attacker with network access to take over the system, potentially causing a PCI ASV scan failure due to the severity and exploitability.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle WebCenter Content?

Oracle WebCenter Content is an enterprise-grade document and digital asset management system within the Oracle Fusion Middleware stack. Organizations use it to store, manage, and distribute business-critical content across their enterprise applications. Because it handles vast repositories of data, it serves as a central hub for web portals and collaborative workflows, which is why securing its internal processes is vital for maintaining organizational data integrity.

What does CVE-2026-35321 mean for system security?

This vulnerability is classified as an improper access control issue, known technically as CWE-284. It signifies that the Content Server component fails to properly restrict operations, allowing an attacker with existing low-level credentials to bypass intended permissions. By exploiting this flaw, a user can perform actions they are not authorized to do, ultimately gaining unauthorized control over the entire system.

How is this vulnerability triggered?

An attacker triggers this bug by sending a specifically crafted HTTP request to the Content Server component. While network access is required, simply having a standard user account with limited privileges is enough to initiate the attack. Crucially, this is not triggered by public, unauthenticated traffic; the attacker must already possess valid low-privileged credentials within the system to execute the request.

Why should I care about this CVE?

Halo Surface Signal indicates that because Oracle WebCenter Content is typically deployed as an accessible web service or portal, it often maintains connectivity with internal user networks or partner environments. If your instance is reachable over the network, even by internal users, the risk is elevated because the vulnerability allows for a full system takeover that can potentially affect other integrated products in your technology stack.

What are the first steps to address this issue?

Begin by inventorying your environment to locate all instances of Oracle WebCenter Content, particularly versions 12.2.1.4.0 and 14.1.2.0.0. Once identified, evaluate the business criticality and network reachability of each instance. Coordinate with the accountable application owners to prioritize these systems, monitor for any unusual access patterns, and establish a plan to apply the necessary updates from the vendor once they become available.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.