Introduction
A newly disclosed vulnerability in Oracle HTTP Server's Core component allows an unauthenticated attacker to read and manipulate critical data across the web tier and potentially into backend systems, all without triggering availability alerts. Scored at CVSS 8.7 with a scope change designation, CVE-2026-34291 represents a significant risk for organizations running Oracle Fusion Middleware as the front door to their application infrastructure, particularly because successful exploitation leaves no obvious service disruption footprint.
Technical Information
CVE-2026-34291 affects the Core component of Oracle HTTP Server, a key element of the Oracle Fusion Middleware stack that typically serves as the web tier in front of Oracle WebLogic Server and other application components. The vulnerability is present in supported versions 12.2.1.4.0 and 14.1.2.0.0.
CVSS Vector Breakdown
The full CVSS 3.1 vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. Breaking this down:
- Attack Vector (AV:N): The vulnerability is exploitable remotely over the network via HTTP. No local or adjacent network access is required.
- Attack Complexity (AC:H): Exploitation is difficult and requires conditions beyond the attacker's direct control. This is the primary factor preventing this from being a trivially exploitable flaw.
- Privileges Required (PR:N): No authentication is needed. Any network entity that can reach the Oracle HTTP Server over HTTP can attempt exploitation.
- User Interaction (UI:N): No action from a legitimate user is required to trigger the vulnerability.
- Scope (S:C): This is the most consequential metric. The "Changed" scope means that while the vulnerability exists in Oracle HTTP Server, successful exploitation can impact resources managed by other authorization authorities. In practical terms, the blast radius extends beyond the web tier into backend systems or integrated Oracle components.
- Confidentiality (C:H): An attacker can gain unauthorized access to critical data or achieve complete access to all data accessible by the Oracle HTTP Server.
- Integrity (I:H): An attacker can perform unauthorized creation, deletion, or modification of critical data.
- Availability (A:N): There is no availability impact. The system remains operational during and after exploitation, which is a critical detail for defenders: standard uptime monitoring and availability checks will not detect this attack.
Attack Surface and Exploitation Context
The attack protocol is HTTP, meaning the vulnerability is exposed on whatever port Oracle HTTP Server is listening on (commonly port 80 or 443). Because Oracle HTTP Server frequently sits at the network perimeter as a reverse proxy or load balancer for Oracle WebLogic and other Fusion Middleware components, the attack surface is often directly internet facing.
The scope change designation deserves particular attention. Oracle HTTP Server acts as a gateway to backend application servers, databases, and middleware services. A vulnerability in its Core component with changed scope suggests that an attacker who compromises the HTTP Server layer could leverage that position to access or modify data in downstream systems that the HTTP Server proxies or connects to. This is consistent with the architecture of Oracle Fusion Middleware deployments, where the HTTP Server handles SSL termination, request routing, and sometimes authentication enforcement for backend services.
The absence of any availability impact (A:N) combined with high confidentiality and integrity impacts creates a particularly dangerous detection gap. An attacker exploiting this vulnerability would be silently reading and modifying data without causing any service disruption that would trigger operational alerts.
Related Vulnerabilities in the Same Patch Cycle
The April 2026 CPU addresses several other Oracle HTTP Server vulnerabilities that share the same affected versions. These provide useful context for understanding the overall risk posture:
| CVE ID | Component | Remote Exploit without Auth | CVSS Score |
|---|---|---|---|
| CVE-2026-34291 | Core | Yes | 8.7 |
| CVE-2025-58098 | Core (Apache HTTP Server) | No | 8.3 |
| CVE-2024-43394 | Core (Apache HTTP Server) | Yes | 7.5 |
| CVE-2025-59775 | Core (Apache HTTP Server) | Yes | 7.5 |
| CVE-2025-65082 | Core (Apache HTTP Server) | Yes | 6.5 |
CVE-2026-34291 is the highest scored vulnerability in this group and the only one with a scope change, making it the most impactful of the Oracle HTTP Server fixes in this cycle.
Patch Information
Oracle addressed CVE-2026-34291 through the April 2026 Critical Patch Update (CPU), officially released on April 21, 2026. This quarterly CPU addresses a total of 483 new security vulnerabilities across Oracle's entire product portfolio, with 59 patches specifically targeting the Oracle Fusion Middleware family.
The vulnerability resides in the Core component of Oracle HTTP Server and affects versions 12.2.1.4.0 and 14.1.2.0.0. According to the risk matrix published in Oracle's verbose CPU advisory, CVE-2026-34291 is listed as a standalone entry in the Oracle Fusion Middleware section.
Because Oracle HTTP Server is closed source proprietary software, no public code level diff or commit is available for this fix. Oracle delivers the patch exclusively through My Oracle Support (MOS), and administrators should consult the Fusion Middleware Patch Availability Document (MOS Doc ID 2806740.1) for specific patch numbers and installation guidance. Oracle's CPU patches for Fusion Middleware are generally cumulative, meaning they build upon prior CPU patches.
It is worth noting that one of the upstream patch check systems suggested CVE-2026-33870 (a Netty HTTP request smuggling flaw) also addressed CVE-2026-34291. However, after verifying the verbose CPU risk matrix, this claim is not confirmed: CVE-2026-33870 appears under the Oracle Database Server section (Clusterware/Micronaut component), where its patch addresses CVE-2026-33013, not CVE-2026-34291. The two CVEs target entirely different Oracle products and components.
Organizations running Oracle HTTP Server 12.2.1.4.0 or 14.1.2.0.0 should apply the April 2026 CPU patch as the sole vendor sanctioned remediation for this vulnerability.
Affected Systems and Versions
The following Oracle HTTP Server versions are confirmed affected:
- Oracle HTTP Server 12.2.1.4.0 (part of Oracle Fusion Middleware)
- Oracle HTTP Server 14.1.2.0.0 (part of Oracle Fusion Middleware)
The vulnerable component is Core, and the attack protocol is HTTP. Any deployment where Oracle HTTP Server is accessible over the network on these versions is potentially at risk. Given the scope change designation, downstream systems that Oracle HTTP Server proxies or integrates with should also be considered within the blast radius.
Vendor Security History
Oracle manages vulnerabilities through its quarterly Critical Patch Update program. The April 2026 CPU alone addresses 483 new security patches, reflecting the breadth of Oracle's product portfolio and the ongoing volume of security issues across it. Within this single update cycle, Oracle Fusion Middleware received 59 new security patches, with 46 of those being remotely exploitable without authentication. Oracle has publicly acknowledged that they continue to receive reports of attempts to exploit vulnerabilities for which patches have already been released, reinforcing the urgency of timely patch application across their product ecosystem.
