Cyber Resilience

CVE-2026-21962

Critical

Published: 20 January 2026

Published
20 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.4266 98.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-21962 is a critical-severity Improper Access Control (CWE-284) vulnerability in Oracle Http Server. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-21962 is a vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware, specifically affecting the Weblogic Server Proxy Plug-in for Apache HTTP Server and Weblogic Server Proxy Plug-in for IIS. Supported versions impacted are 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0, with the Weblogic Server Proxy Plug-in for IIS affected only at version 12.2.1.4.0. The issue, linked to CWE-284 (Improper Access Control), carries a CVSS 3.1 Base Score of 10.0 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N, indicating critical confidentiality and integrity impacts.

An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in. Although the flaw resides in these components, exploitation results in a scope change that may significantly impact additional products. Successful attacks enable unauthorized creation, deletion, or modification of critical data or all accessible data, as well as unauthorized access to critical data or complete access to all Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in accessible data.

Oracle has published a security alert at https://www.oracle.com/security-alerts/cpujan2026.html detailing the vulnerability and mitigation steps. Additional references include GitHub issues at https://github.com/Ashwesker/Ashwesker-CVE-2026-21962/issues/1 (archived at https://web.archive.org/web/20260129165916/https://github.com/Ashwesker/Ashwesker-CVE-2026-21962/issues/1) and a post on X at https://x.com/0xacb/status/2015473216844620280.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and…

more

14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated network exploitation of improper access control in public-facing Oracle HTTP Server/Weblogic proxy plug-in directly enables T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34291Same product: Oracle Http Server
CVE-2026-46818Same vendor: Oracle
CVE-2026-34310Same vendor: Oracle
CVE-2026-46839Same vendor: Oracle
CVE-2026-34287Same vendor: Oracle
CVE-2026-46822Same vendor: Oracle
CVE-2025-50105Same vendor: Oracle
CVE-2026-46820Same vendor: Oracle
CVE-2026-21994Same vendor: Oracle
CVE-2026-46821Same vendor: Oracle

Affected Assets

oracle
http server
12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0
oracle
weblogic server proxy plug-in
12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation including patching of critical flaws like CVE-2026-21962 in the Weblogic Server Proxy Plug-in to prevent exploitation.

prevent

Enforces approved access authorizations to provide layered protection against the improper access control vulnerability enabling unauthorized data access and modification.

prevent

Monitors and controls network communications to the vulnerable HTTP proxy plug-in, limiting unauthenticated attacker access via HTTP.

References