Introduction
An unauthenticated information disclosure flaw in Oracle WebLogic Server's Web Services component gives remote attackers a direct path to critical server data over plain HTTP, with no credentials and no user interaction required. Disclosed as part of Oracle's April 2026 Critical Patch Update, CVE-2026-34305 carries a CVSS 3.1 Base Score of 7.5 and affects four supported version trains of one of the most widely deployed enterprise Java application servers in production today.
Technical Information
CVE-2026-34305 targets the Web Services component within Oracle WebLogic Server, a core piece of Oracle Fusion Middleware. The vulnerability's CVSS vector tells us a great deal about its risk profile:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Breaking this down:
- Attack Vector: Network — The attacker reaches the vulnerable component over the network via HTTP.
- Attack Complexity: Low — No special conditions or race conditions are needed; the exploit path is straightforward.
- Privileges Required: None — The attacker does not need any form of authentication.
- User Interaction: None — No action from a legitimate user is required to trigger the vulnerability.
- Scope: Unchanged — The exploited component and the impacted component are the same (WebLogic Server itself).
- Confidentiality Impact: High — Successful exploitation can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.
- Integrity and Availability Impact: None — The vulnerability does not allow data modification or service disruption.
What We Know About the Attack Flow
The exploit is delivered over HTTP to the Web Services component. Because no authentication or user interaction is required and the attack complexity is low, this vulnerability is well suited for automated scanning and exploitation at scale. An attacker with network access to a WebLogic Server's HTTP listener could craft requests targeting the Web Services endpoint to extract sensitive data.
Oracle and the National Vulnerability Database have not disclosed the specific exploit mechanics, the exact nature of the HTTP requests used to trigger the vulnerability, or any proof of concept code. No Common Weakness Enumeration (CWE) identifier has been assigned to this CVE, which limits our ability to categorize the root cause (e.g., whether this is an authentication bypass, an XML External Entity injection, a path traversal, or another class of flaw).
Comparison With a Related Vulnerability
Within the same April 2026 CPU, Oracle disclosed CVE-2026-34315, another vulnerability in the Web Services component with an identical CVSS score of 7.5 and affecting the same four versions. The critical distinction is that CVE-2026-34315 requires user interaction from a person other than the attacker. CVE-2026-34305, by contrast, requires zero user interaction. This difference makes CVE-2026-34305 the higher practical priority for defenders, as it can be exploited entirely through automated, unsolicited network requests.
Patch Information
Oracle has officially addressed CVE-2026-34305 through its April 2026 Critical Patch Update (CPU), released on April 21, 2026. This is a vendor supplied, closed source patch, meaning there are no public source code diffs or commit histories to inspect, as is standard for Oracle proprietary products.
The patch targets the Web Services component of Oracle WebLogic Server and covers all four affected versions: 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The fix is focused on remediating how the Web Services component handles incoming requests, tightening access controls to prevent information disclosure.
To obtain the patch binaries, administrators must follow Oracle's structured distribution process:
- Navigate to the Oracle Critical Patch Update Advisory, April 2026.
- In the Affected Products and Patch Information table, locate the row for Oracle WebLogic Server.
- Click the Fusion Middleware link in the Patch Availability Document column. This opens the Fusion Middleware CPU Patch Availability Document (PAD) on My Oracle Support (MOS). The referenced MOS Doc ID for the full list of current and previously released Fusion Middleware CPU patches is KA1182.
- Within the PAD, select the applicable WebLogic Server version (e.g., 12.2.1.4, 14.1.1.0, 14.1.2.0, or 15.1.1.0) and follow the Patch Advisor to download the correct Patch Set Update (PSU) bundle.
Oracle delivers WebLogic patches as cumulative Patch Set Updates (PSUs). Each quarterly PSU rolls up all prior security fixes, so applying the April 2026 PSU also picks up fixes from the January 2026 CPU and earlier. The patch is applied using Oracle's OPatch utility against the WebLogic Server home directory.
For WebLogic Server for OCI environments, note that patches are not automatically applied to existing domains and must be deployed manually.
This CVE was one of 59 new security patches for Oracle Fusion Middleware shipped in the April 2026 CPU, of which 46 address vulnerabilities that are remotely exploitable without authentication. An active Oracle Support contract is required to download the patch from My Oracle Support.
Affected Systems and Versions
The following versions of Oracle WebLogic Server are confirmed affected:
| Product Component | Affected Version | Attack Vector | Requires Authentication | Requires User Interaction | CVSS Base Score |
|---|---|---|---|---|---|
| Web Services | 12.2.1.4.0 | HTTP | No | No | 7.5 |
| Web Services | 14.1.1.0.0 | HTTP | No | No | 7.5 |
| Web Services | 14.1.2.0.0 | HTTP | No | No | 7.5 |
| Web Services | 15.1.1.0.0 | HTTP | No | No | 7.5 |
All four supported version trains share the exact same risk profile and exploitability metrics. Organizations should inventory their environments for these specific versions to determine their exposure surface. Any WebLogic Server instance exposing the Web Services component over HTTP is potentially at risk.
Vendor Security History
Oracle manages security vulnerabilities through a standardized quarterly release cycle known as Critical Patch Updates. The April 2026 CPU alone included 59 new security patches for Oracle Fusion Middleware, with 46 of those addressing remotely exploitable vulnerabilities that require no authentication. This volume is consistent with Oracle's historical pattern of bundling large numbers of security fixes into each quarterly release. WebLogic Server has been a recurring target in Oracle CPUs, reflecting both its widespread enterprise deployment and the breadth of its attack surface.
