Oracle WebLogic Server Proxy Plugin (CVE-2026-21962): Overview & Takeaways

Oracle has disclosed a critical, maximum severity vulnerability (CVE-2026-21962) impacting Oracle Fusion Middleware, specifically the Oracle HTTP Server and Oracle WebLogic Server Proxy Plugins for both Apache HTTP Server and Microsoft IIS. 

This vulnerability allows an unauthenticated remote attacker to bypass security controls and potentially gain unauthorized access to backend WebLogic systems. Because these proxy plugins often sit in DMZ environments, the exposure is significant. 

This vulnerability has a CVSS 3.1 Base Score of 10.0 (Critical) due to its low attack complexity and high potential for significant compromise.  

What do I need to know? 

• Vulnerability: CVE-2026-21962 – Critical flaw within the Oracle WebLogic Server Proxy Plugin request handling logic. 
• Severity: Critical (CVSS 10.0) 
• Attack Vector: Remote, unauthenticated HTTP based exploitation 
• Impact: Unauthorized read/write access to sensitive data handled by Oracle HTTP Server. Potential pivoting into backend WebLogic clusters allowing:  
  • Create, delete, and/or modification access to critical data 
  • Create, delete, and/or modification access to all data accessible by the affected services (HTTP Server, Weblogic server proxy plug-in) 
  • Full access to critical data 
  • Full access to all data accessible by the affected services (HTTP Server, Weblogic server proxy plug-in) 
  • Because the flaw exists within the proxy layer, it exposes infrastructure that is traditionally trusted as a secure gateway, increasing the overall risk to enterprise environments. 

Products and Systems Affected 

The vulnerability is confirmed in the following supported versions of Oracle Fusion Middleware components: 

• Impacted Versions: The following supported Oracle Fusion Middleware components are confirmed vulnerable: 
  • Oracle HTTP Server / Proxy Plugin 
  • 12.2.1.4.0 
  • 14.1.1.0.0 
  • 14.1.2.0.0 

• WebLogic Server Proxy Plugin for Microsoft IIS 
  • 12.2.1.4.0 

If your environment utilizes any of these versions, you should assume you are vulnerable and proceed with immediate remediation actions. 

What do I need to do? 

We recommend the following steps to identify and remediate this vulnerability: 

• Review and Audit 
  • Identify all Oracle HTTP Server and WebLogic Server Proxy Plugin installations, prioritizing Apache and IIS deployments. 
  • Confirm versions against vulnerable releases 
  • Prioritize DMZ hosted and externally exposed systems, which face the highest risk. 
  • Check deployment manifests, images, and pipelines for embedded or bundled proxy components. 
  • Review access logs for abnormal or malformed HTTP requests targeting proxy forwarding logic. 

• Patch Immediately 
  • Apply Oracle’s Critical Patch Update (CPU) for all affected components; this is the only complete remediation. 
  • Verify all nodes (production, failover, nonproduction) receive the update and follow Oracle’s post patch validation steps. 

• Mitigation (If Patching Is Delayed) 
  • Restrict network access to affected proxy ports to trusted IPs only 
    (may disrupt normal traffic). 
  • Strengthen WAF protections to detect/block suspicious proxy layer behavior. 
  • Increase monitoring for authentication bypass attempts or lateral movement from Oracle HTTP Server hosts. 
  • Further isolate DMZ proxy systems from backend WebLogic clusters until patched. 

NetSPI Product and Services Coverage 

NetSPI’s External Attack Surface Management has released a detection for this CVE.

Oracle HTTP Server / WebLogic Proxy Plug-in - Vulnerable Version Detection

We are available to support vulnerability identification, continuous attack surface management, and point in time testing. Visit our website for more information.