CVE-2026-21962

Critical

Published: 20 January 2026

Published

20 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0002 6.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21962 is a critical-severity Improper Access Control (CWE-284) vulnerability in Oracle Http Server. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly requires timely remediation including patching of critical flaws like CVE-2026-21962 in the Weblogic Server Proxy Plug-in to prevent exploitation.

AC-3 Access Enforcement partial match

prevent

Enforces approved access authorizations to provide layered protection against the improper access control vulnerability enabling unauthorized data access and modification.

SC-7 Boundary Protection partial match

prevent

Monitors and controls network communications to the vulnerable HTTP proxy plug-in, limiting unauthenticated attacker access via HTTP.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated network exploitation of improper access control in public-facing Oracle HTTP Server/Weblogic proxy plug-in directly enables T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and…

14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

Deeper analysisAI

CVE-2026-21962 is a vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware, specifically affecting the Weblogic Server Proxy Plug-in for Apache HTTP Server and Weblogic Server Proxy Plug-in for IIS. Supported versions impacted are 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0, with the Weblogic Server Proxy Plug-in for IIS affected only at version 12.2.1.4.0. The issue, linked to CWE-284 (Improper Access Control), carries a CVSS 3.1 Base Score of 10.0 with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N, indicating critical confidentiality and integrity impacts.

An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in. Although the flaw resides in these components, exploitation results in a scope change that may significantly impact additional products. Successful attacks enable unauthorized creation, deletion, or modification of critical data or all accessible data, as well as unauthorized access to critical data or complete access to all Oracle HTTP Server and Oracle Weblogic Server Proxy Plug-in accessible data.

Oracle has published a security alert at https://www.oracle.com/security-alerts/cpujan2026.html detailing the vulnerability and mitigation steps. Additional references include GitHub issues at https://github.com/Ashwesker/Ashwesker-CVE-2026-21962/issues/1 (archived at https://web.archive.org/web/20260129165916/https://github.com/Ashwesker/Ashwesker-CVE-2026-21962/issues/1) and a post on X at https://x.com/0xacb/status/2015473216844620280.

Details

CWE(s): CWE-284

Affected Products

oracle

http server

12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0

oracle

weblogic server proxy plug-in

12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0

CVEs Like This One

CVE-2026-34291Same product: Oracle Http Server

CVE-2025-50105Same vendor: Oracle

CVE-2026-34287Same vendor: Oracle

CVE-2025-50060Same vendor: Oracle

CVE-2026-21994Same vendor: Oracle

CVE-2026-21997Same vendor: Oracle

CVE-2026-22010Same vendor: Oracle

CVE-2026-34310Same vendor: Oracle

CVE-2026-35229Same vendor: Oracle

CVE-2026-22011Same vendor: Oracle

References

https://www.oracle.com/security-alerts/cpujan2026.html
Patch, Vendor Advisory · secalert_us@oracle.com
https://github.com/Ashwesker/Ashwesker-CVE-2026-21962/issues/1
Not Applicable · 134c704f-9b21-4f2e-91b3-4a467353bcc0
https://web.archive.org/web/20260129165916/https://github.com/Ashwesker/Ashwesker-CVE-2026-21962/issues/1
134c704f-9b21-4f2e-91b3-4a467353bcc0
https://x.com/0xacb/status/2015473216844620280
Not Applicable · 134c704f-9b21-4f2e-91b3-4a467353bcc0