Oracle Fusion Middleware WebLogic Server Proxy Plug-in, unauthenticated improper access control RCE

Overview

CVE-2026-21962 is a maximum-severity (CVSS 10.0) vulnerability in the Oracle HTTP Server and Oracle WebLogic Server Proxy Plug-in components of Oracle Fusion Middleware, specifically the WebLogic Server Proxy Plug-in for Apache HTTP Server and for Microsoft IIS. An unauthenticated attacker with network access over HTTP can compromise the affected products, and because the vulnerability scope is changed, exploitation may significantly impact additional products beyond the proxy plug-in itself. Oracle addressed the issue in its January 2026 Critical Patch Update, and NVD published the record on January 20, 2026. As of this writing the CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.

Technical Details

The weakness is classified as CWE-284 (improper access control). The Oracle CPU describes the issue as an easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise the Oracle HTTP Server / WebLogic Server Proxy Plug-in, with the potential for unauthorized access to and modification of data. The CVSS base score on the NVD record is 10.0 with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N, scored by Oracle as the CNA; the changed scope (S:C) reflects that a successful attack on the proxy plug-in can significantly impact additional components. No authentication, privileges, or user interaction are required. Supported versions affected are 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0 (the IIS plug-in is listed for 12.2.1.4.0).

Impact

• Unauthenticated, network-based compromise of the Oracle HTTP Server / WebLogic Server Proxy Plug-in over HTTP.
• Unauthorized access to and modification of data handled by the affected products.
• Changed-scope impact, meaning a successful attack can significantly affect additional Oracle products fronted by the proxy.
• Potential exposure of WebLogic application traffic proxied through Apache HTTP Server or IIS.

Mitigation

1. Apply the Oracle January 2026 Critical Patch Update fixes for the affected versions 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0.
2. Update the WebLogic Server Proxy Plug-in for Apache HTTP Server and for IIS to the patched plug-in shipped in the January 2026 CPU.
3. Restrict network exposure of the proxy/HTTP Server front end to trusted networks where operationally feasible while patching.
4. After patching, review proxied WebLogic applications and the HTTP Server/IIS front end for signs of unauthorized access or data modification.

Detection

Review Oracle HTTP Server, Apache HTTP Server, and IIS access logs for anomalous HTTP requests to the WebLogic proxy plug-in, including malformed requests, unexpected request smuggling or header-manipulation patterns, and access to proxied paths from untrusted sources. Because the flaw is an unauthenticated access-control failure with changed scope, focus on requests that appear to reach back-end WebLogic resources without traversing expected authentication or routing, and on responses that disclose data the requester should not be able to read. Inspect the WebLogic managed servers and any applications fronted by the proxy for unauthorized data reads or modifications, unexpected session activity, and configuration drift that does not correspond to legitimate administrative changes. Confirm whether the January 2026 Critical Patch Update has been applied and that the proxy plug-in binaries for Apache HTTP Server and IIS were updated, since the patched build is the definitive indicator that the vector is closed. Correlate any suspicious activity with the timing of the CPU release and with vendor- or community-published guidance for the WebLogic Server Proxy Plug-in. As of this writing, CVE-2026-21962 is not listed in CISA's Known Exploited Vulnerabilities catalog and there is no confirmed in-the-wild exploitation, but given the maximum CVSS score, the unauthenticated network attack vector, and the changed scope that can extend impact to additional Oracle products, internet-reachable or untrusted-network-reachable deployments should be prioritized for patching and monitored closely. Maintain heightened log review until the affected hosts are confirmed patched, and treat any environment that was exposed prior to patching as warranting a focused integrity review of proxied applications and their data. To operationalize this, begin with an inventory: identify every Oracle HTTP Server and WebLogic Server Proxy Plug-in deployment (Apache HTTP Server and IIS), record the running versions, and determine which front ends were reachable from untrusted networks. Even though no in-the-wild exploitation is confirmed yet, a maximum-severity unauthenticated flaw in an internet-facing proxy is an attractive target once technical details circulate, so forward web server and proxy logs to a SIEM and alert on the malformed-request and routing-bypass patterns above. Because the scope is changed, extend monitoring to the back-end WebLogic managed servers and the applications they host: look for requests that reach protected resources without traversing expected authentication or routing, responses that disclose data the requester should not see, and unexpected administrative or data-layer activity. Confirm remediation by validating that the January 2026 CPU has been applied and that the Apache and IIS plug-in binaries were updated to the patched versions, and treat any environment exposed prior to patching as warranting a focused integrity review of the proxied applications, their data, and the trust the proxy mediates to additional Oracle products.