CVE-2026-34305
Published: 21 April 2026
Summary
CVE-2026-34305 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Oracle Weblogic Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of identified flaws like CVE-2026-34305 in Oracle WebLogic Server Web Services to prevent unauthorized data access.
Mandates vulnerability scanning to identify CVE-2026-34305 in affected WebLogic versions, enabling proactive patching.
Monitors and controls communications at system boundaries to restrict network access via HTTP to the vulnerable Web Services component.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote attackers to exploit a public-facing Web Services component in Oracle WebLogic Server via HTTP to access sensitive/critical data, directly enabling T1190 (Exploit Public-Facing Application) for initial access and data exposure.
NVD Description
Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Web Services). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic…
more
Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Deeper analysisAI
CVE-2026-34305 is a vulnerability in the Web Services component of Oracle WebLogic Server, which is part of Oracle Fusion Middleware. The supported versions affected by this issue are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. Classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), it carries a CVSS 3.1 base score of 7.5 with the vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact but no integrity or availability effects.
An unauthenticated attacker with network access via HTTP can easily exploit this vulnerability to compromise Oracle WebLogic Server. Successful attacks enable unauthorized access to critical data or complete access to all data accessible by the server.
Oracle's security advisory, published as part of the April 2026 Critical Patch Update at https://www.oracle.com/security-alerts/cpuapr2026.html, provides further details on mitigation and patching.
Details
- CWE(s)