Cyber Posture

CVE-2026-34292

High

Published: 21 April 2026

Published
21 April 2026
Modified
23 April 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0010 27.1th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34292 is a high-severity Improper Access Control (CWE-284) vulnerability in Oracle Weblogic Server. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 27.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the specific flaw in Oracle WebLogic Server Core component by applying vendor patches from the April 2026 Critical Patch Update.

RA-5 Vulnerability Monitoring and Scanning good match
detect

Identifies affected WebLogic versions vulnerable to CVE-2026-34292 through automated scanning and monitoring.

AC-6 Least Privilege partial match
prevent

Limits high-privilege accounts with network access via HTTP that are required to exploit this vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The vulnerability requires a high-privileged attacker (PR:H) with network access and results in full server compromise, directly enabling exploitation for privilege escalation from application-level high privileges to complete system takeover.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful…

more

attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Deeper analysisAI

CVE-2026-34292 is a vulnerability in the Core component of Oracle WebLogic Server, which is part of the Oracle Fusion Middleware product. The supported versions affected by this issue are 12.2.1.4.0 and 14.1.1.0.0. It has a CVSS 3.1 Base Score of 7.2, with the vector (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), and is associated with CWE-284.

This easily exploitable vulnerability can be leveraged by a high-privileged attacker who has network access via HTTP. Successful exploitation allows the attacker to fully compromise Oracle WebLogic Server, resulting in high impacts to confidentiality, integrity, and availability, effectively enabling takeover of the server.

Oracle has issued a security advisory as part of its Critical Patch Update for April 2026, available at https://www.oracle.com/security-alerts/cpuapr2026.html, which provides details on patches and mitigation steps for addressing this vulnerability.

Details

CWE(s)
CWE-284

Affected Products

oracle
weblogic server
12.2.1.4.0, 14.1.1.0.0

CVEs Like This One

CVE-2026-35242Same vendor: Oracle
CVE-2025-21535Same product: Oracle Weblogic Server
CVE-2026-35251Same vendor: Oracle
CVE-2026-34305Same product: Oracle Weblogic Server
CVE-2025-21549Same product: Oracle Weblogic Server
CVE-2026-35243Same vendor: Oracle
CVE-2026-35246Same vendor: Oracle
CVE-2026-22011Same vendor: Oracle
CVE-2026-34309Same vendor: Oracle
CVE-2026-35230Same vendor: Oracle

References