6 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-21962 is a critical unauthenticated vulnerability affecting Oracle HTTP Server and the Oracle WebLogic Server Proxy Plug-in for Apache and IIS. By sending specially crafted HTTP requests, a remote attacker can compromise the proxy component without authentication. Successful exploitation may result in unauthorized access to sensitive data and the ability to create, modify, or delete data processed by the proxy and potentially by downstream applications, posing a significant risk to enterprise environments, especially internet-facing deployments.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Unauthenticated Critical Data Compromise in Oracle HTTP Server and Oracle WebLogic Server Proxy Plug-in
CVSS Score: 10.0 (Critical, CVSS v3.1)
Identifier: CVE-2026-21962
Exploit or Proof of Concept (PoC):
At this time, there is no publicly available proof-of-concept exploit code and no confirmed reports of active exploitation in the wild.
Update/ Patch:
Oracle addressed CVE-2026-21962 in the January 2026 Oracle Critical Patch Update (CPU). Administrators should apply the relevant patches for Oracle HTTP Server and the Oracle WebLogic Server Proxy Plug-in as provided in:
https://www.oracle.com/security-alerts/cpujan2026.htmlAffected components include:
Oracle HTTP Server and Oracle WebLogic Server Proxy Plug-in (Apache) versions:
Oracle HTTP Server and Oracle WebLogic Server Proxy Plug-in (Apache) versions:
- 12.2.1.4.0
- 14.1.1.0.0
- 14.1.2.0.0
Oracle WebLogic Server Proxy Plug-in for IIS version 12.2.1.4.0
Description:
CVE-2026-21962 is a critical vulnerability in Oracle HTTP Server and the Oracle WebLogic Server Proxy Plug-in for Apache and IIS. The flaw allows an unauthenticated remote attacker to send crafted HTTP requests that can compromise the proxy component. Successful exploitation can result in unauthorized access to sensitive data and the ability to create, modify, or delete data handled by the proxy and potentially by downstream applications.
Mitigation Recommendation:
Immediately apply the January 2026 Oracle Critical Patch Update to all affected Oracle HTTP Server and WebLogic Proxy Plug-in installations, prioritizing internet-facing systems.
Restrict network exposure of proxy and HTTP server components by placing them behind firewalls, WAFs, or VPN/ZTNA solutions, and allow access only from trusted networks.
Review web and proxy logs for suspicious request patterns, unexpected endpoints, or abnormal data access activity.
