External risk intelligence

Oracle WebCenter Content Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-35323

A vulnerability in Oracle WebCenter Content allows a low-privileged attacker with network access to compromise the system, potentially impacting additional products. Successful exploitation could lead to a full takeover of Oracle WebCenter Content.

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Oracle WebCenter Content is an enterprise web application designed to manage enterprise content and often includes web-accessible interfaces or API endpoints that are commonly deployed in network-reachable configurations for user and system interaction.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability affects Oracle WebCenter Content, a product used for managing enterprise content. An attacker could potentially gain control of the system with significant impact on related products. The primary concern is to determine if your organization uses this specific Oracle product and confirm its exposure.

  • System flaw allows unauthorized control.
  • Critical vulnerability impacting core content management.
  • Confirm use and assess impact.

Attack Path

How an attacker could exploit the issue

An attacker could compromise Oracle WebCenter Content by exploiting a vulnerability accessible over the network. This would allow a low-privileged attacker to gain control of the system, potentially impacting other connected products.

  • Network access required.
  • Vulnerable component: Content Server.
  • Full system takeover possible.

Live Threat

Current exploitation, exposure, and threat context

A low-privileged attacker with network access could exploit this vulnerability when supported by the advisory to achieve a full takeover of Oracle WebCenter Content. This could impact additional products due to the nature of the vulnerability.

  • System content and availability could be compromised.
  • Network access allows exposure of the system.
  • Takeover of Oracle WebCenter Content.

Operational Fix

Recommended remediation, mitigation, and detection steps

Given this vulnerability in Oracle WebCenter Content, responsibility likely falls to application owners, infrastructure teams, and potentially vendor-management if Oracle is involved. The critical first step is to identify all instances of Oracle WebCenter Content, confirm their network reachability and business criticality, and then assign an owner for remediation planning based on the assessed risk.

  • Application and infrastructure teams own resolution.
  • Verify network reachability and business criticality.
  • Plan remediation based on assessed risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35323 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Oracle WebCenter Content allows an attacker with network access to take over the product, which could lead to a PCI scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle WebCenter Content?

Oracle WebCenter Content is a component of Oracle Fusion Middleware designed to manage enterprise documents, images, and other digital assets. It acts as a centralized repository for content throughout its lifecycle. Organizations use it to streamline business processes, automate document workflows, and integrate content across various enterprise applications. It includes specific tools like the Content Server to handle these storage and management tasks.

What does CWE-284 mean for CVE-2026-35323?

CWE-284 refers to Improper Access Control. This indicates that the software does not correctly restrict or verify the actions allowed by a user or process. In the context of CVE-2026-35323, this flaw allows an attacker to bypass intended security boundaries. Because it affects the Content Server component, a low-privileged user can perform unauthorized actions, potentially escalating their access to take full control of the application.

How does an attacker trigger this vulnerability?

An attacker needs network access to the target system via HTTP to initiate an exploit. The flaw is not triggered by standard, authorized user interactions that fall within normal privilege levels. Instead, it requires the attacker to leverage specific network-accessible endpoints in the Content Server component to bypass access restrictions. If a system is not reachable over the network, or if the attacker cannot reach the specific vulnerable interface, the trigger condition is not met.

Is my Oracle WebCenter Content instance at risk?

Halo Surface Signal identifies Oracle WebCenter Content as a web-based enterprise application that often includes web-accessible interfaces or APIs. If your installation is configured to be reachable over a network, it may be exposed to this vulnerability. You should prioritize assessing systems that are internet-facing or accessible to internal networks where unauthorized users might have access, as these are the primary vectors for this type of network-based attack.

How should I respond to this advisory?

The first step is to inventory your environment to locate all instances of Oracle WebCenter Content, specifically identifying those running versions 12.2.1.4.0 or 14.1.2.0.0. Once identified, evaluate the network reachability of these instances to understand their potential exposure. After assessing the business criticality of each instance, collaborate with your infrastructure and application teams to prioritize remediation planning and apply vendor-provided security updates as they become available.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished