Oracle Releases Security Advisory to Address a Critical Vulnerability in Oracle Fusion Middleware

Successful exploitation could allow an unauthenticated attacker with HTTP network access to create, delete, or modify critical data accessible through the Oracle HTTP Server and Oracle WebLogic Server Proxy Plug‑in

Threat ID:: CC-4739
Threat Severity:: Medium
Published:: 22 January 2026 4:26 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Affected platforms

The following platforms are known to be affected:

Oracle HTTP Server

Versions:

12.2.1.4.0
14.1.1.0.0
14.1.2.0.0

Oracle Weblogic Server Proxy Plug-in

Weblogic Server Proxy Plug-in for Apache HTTP Server Component

Versions:

12.2.1.4.0
14.1.1.0.0
14.1.2.0.0

Weblogic Server Proxy Plug-in for IIS Component

Versions:

12.2.1.4.0

Threat details

Proof-of-Concept Exploit for CVE-2026-21962

A proof-of-concept exploit for CVE-2026-21962 is publicly available. The NHS England National CSOC assesses exploitation as highly likely.

Introduction

Oracle has published a security advisory addressing a critical a vulnerability in Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in within Oracle Fusion Middleware. Successful exploitation of CVE-2026-21962 could allow an unauthenticated attacker with HTTP network access to create, delete, or modify critical data accessible through the Oracle HTTP Server and Oracle WebLogic Server Proxy Plug‑in.

CVE-2026-21962 - an ' Improper Access Control' vulnerability with CVSSv3 score: 10.

Both Weblogic Server Proxy Plug-in for Apache HTTP Server and Weblogic Server Proxy Plug-in for IIS components are affected by the vulnerability.

Remediation advice

Affected organisations are strongly advised to review Oracle's Critical Patch Update Advisory and apply the relevant updates as soon as possible.

Definitive source of threat updates

https://www.oracle.com/security-alerts/cpujan2026.html#AppendixFMW

CVE Vulnerabilities

Status Published

CVE-2026-21962

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

Last edited: 22 January 2026 4:26 pm