CVE-2026-21962

CWE-284 — Improper Access Control7 documents7 sources

Severity

10.0CRITICAL

EPSS

0.0%

top 95.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oracle Http Server Oracle Weblogic Server Proxy Plug-in

Timeline

PublishedJan 20

Latest updateJan 29

Description

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Orac…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.8

Affected Packages2 packages

▶NVDoracle/http_server12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0+2

▶NVDoracle/weblogic12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0+2

Patches

Patch: www.oracle.com ↗

🔴Vulnerability Details

GHSA

GHSA-4wp9-cf5h-v2g5: Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Pl↗2026-01-21

▶

CVEList

CVE-2026-21962: Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Pl↗2026-01-20

▶

VulnCheck

Oracle http_server Improper Access Control↗2026

▶

🔍Detection Rules

Suricata

ET WEB_SPECIFIC_APPS Oracle WebLogic Server Proxy Plug-in Authentication Bypass (CVE-2026-21962)↗2026-01-29

▶

📋Vendor Advisories

Oracle

Oracle Oracle Fusion Middleware Risk Matrix: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS — CVE-2026-21962↗2026-01-15

▶

🕵️Threat Intelligence

Wiz

CVE-2026-21962 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶