Patches unauthenticated compromise risk in Oracle HTTP Server

1 min readPublished 21 Apr 2026Updated 21 Apr 2026Source: GitHub Advisory Database (Unreviewed)

CVE-2026-34291 News Web Security Enterprise Software

TL;DR — A High-severity Oracle HTTP Server flaw can let unauthenticated attackers with HTTP network access compromise the server, with potential impact beyond the HTTP tier due to scope change.

What happened

Oracle HTTP Server is a web server product shipped as part of Oracle Fusion Middleware deployments. GitHub’s Advisory Database published an advisory for CVE-2026-34291 describing a difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.

Oracle’s advisory text (as reflected in NVD and the GitHub entry) states that successful exploitation can lead to unauthorized creation, deletion, or modification of data, plus unauthorized access to confidential information, and highlights that attacks may significantly impact additional products in the Fusion Middleware environment due to scope change. This is the kind of issue platform teams should treat as a middleware boundary risk: if Oracle HTTP Server is internet-reachable or fronting other Oracle middleware services, the blast radius can extend well beyond the web tier.

Who is impacted

Organizations running Oracle Fusion Middleware environments that include Oracle HTTP Server.
Specifically, the advisory calls out supported Oracle HTTP Server versions 12.2.1.4.0 and 14.1.2.0.0 as affected.

Component	Affected versions (per advisory)	Severity / impact notes (per advisory)
Oracle HTTP Server (Fusion Middleware)	`12.2.1.4.0`, `14.1.2.0.0`	CVSS v3.1 8.7 (High); unauthenticated network access via HTTP; scope change noted

What to do now

Follow Oracle remediation guidance and apply the April 2026 CPU security patches:

Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.
Inventory Oracle HTTP Server deployments and validate whether any instances are on the affected supported versions (12.2.1.4.0 / 14.1.2.0.0).
Prioritize patch planning for any Oracle HTTP Server instances that are internet-reachable or that front higher-value Fusion Middleware services.
Until patches are applied, reduce exposure where feasible (e.g., limit network reachability to required upstreams) and increase monitoring for anomalous HTTP traffic patterns against Oracle HTTP Server endpoints.

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.