What happened
The Oracle WebLogic Server proxy plug-in flaw CVE-2026-21962 affects the Oracle HTTP Server and Oracle WebLogic Server Proxy Plug-in components used to forward requests to backend WebLogic clusters, often from DMZ deployments. The report describes the issue as a defect in how proxy plug-ins for Apache HTTP Server and Microsoft IIS handle incoming requests, enabling unauthenticated remote exploitation over HTTP without user interaction. It highlights a CVSS 3.1 base score of 10.0 and notes the CVSS “Scope Change” element, indicating successful exploitation could impact components beyond the proxy layer and potentially pivot into backend environments. Affected supported versions listed include Oracle HTTP Server / Proxy Plug-in 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0, and WebLogic Server Proxy Plug-in for IIS 12.2.1.4.0. The report says patches are available via Oracle’s Critical Patch Update, and that restricting network access to affected HTTP ports can reduce exposure if patching is not immediately possible.
Who is affected
Organizations running Oracle Fusion Middleware with Oracle HTTP Server or Oracle WebLogic Server Proxy Plug-in in front of WebLogic clusters are directly impacted, especially where these proxies are internet-reachable from DMZs. Exposure is direct for systems with the affected versions, with potential downstream impact on backend applications behind the proxy layer.
Why CISOs should care
Proxy-layer compromise can become a stepping stone into core application infrastructure, expanding breach scope beyond the edge tier. With unauthenticated remote exploitability and maximal severity scoring, the issue elevates enterprise risk for data exposure and integrity loss and can accelerate intrusion paths into high-value systems.
3 practical actions
-
Patch affected proxy components immediately: Apply the Oracle Critical Patch Update for affected Oracle HTTP Server and Oracle WebLogic Server Proxy Plug-in versions as a priority change.
-
Reduce external attack surface fast: Restrict inbound access to proxy HTTP ports to trusted networks and enforce least-privilege routing paths for DMZ-to-app connectivity.
-
Validate segmentation between proxy and backend: Confirm the proxy tier cannot directly reach unnecessary internal services and monitor for anomalous request patterns that indicate proxy exploitation attempts.