CVE-2026-21962

The Proxy That Talked Too Much: Dissecting CVE-2026-21962

Amit Schendel
Amit Schendel
Senior Security Researcher

Jan 22, 2026·7 min read·614 visits

Executive Summary (TL;DR)

Oracle's January 2026 CPU dropped a bombshell: a CVSS 10.0 RCE in the WebLogic Proxy Plug-in. By combining a path normalization bypass (`..;`) with a header injection attack (`WL-Proxy-Client-IP`), unauthenticated attackers can gain root access to the underlying server. Exploits are public and trivial.

A critical RCE in Oracle HTTP Server and WebLogic Proxy Plug-in allows unauthenticated attackers to execute arbitrary commands via malicious HTTP headers and path traversal techniques.

Official Patches

OracleOracle Critical Patch Update Advisory - January 2026

Technical Appendix

CVSS Score
10.0/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
EPSS Probability
0.03%
Top 92% most exploited
50,000
via Shodan

Affected Systems

Oracle HTTP Server 12.2.1.4.0Oracle HTTP Server 14.1.1.0.0Oracle HTTP Server 14.1.2.0.0Oracle WebLogic Server Proxy Plug-in (Apache/IIS)

Affected Versions Detail

Product
Affected Versions
Fixed Version
Oracle HTTP Server
Oracle
12.2.1.4.0Jan 2026 CPU
WebLogic Server Proxy Plug-in
Oracle
14.1.1.0.0Jan 2026 CPU
AttributeDetail
CVSS10.0 (Critical)
CWECWE-444, CWE-77
Attack VectorNetwork (Unauthenticated)
EPSS0.00031 (Rising)
Exploit StatusPublic PoC Available
Key VectorWL-Proxy-Client-IP Header

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059Command and Scripting Interpreter
Execution
CWE-77
Command Injection

Improper Neutralization of Special Elements used in a Command

Known Exploits & Detection

GitHubPython script exploiting path traversal and header injection
NucleiNuclei detection template
NucleiDetection Template Available

Vulnerability Timeline

Pre-advisory notification
2026-01-05
CVE Published in Oracle CPU
2026-01-20
Public PoC Released
2026-01-21

Subscribe to updates

Get the latest CVE analysis reports delivered to your inbox.