Skip to main content

Oracle Coherence CVE-2026-35304

| EUVDEUVD-2026-37430 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle states unauthenticated network exploitation over HTTPS with no UI leading to full product takeover, justifying AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H; scope unchanged as impact stays within Coherence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:35 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote unauthenticated takeover of Oracle Coherence (Oracle Fusion Middleware) is possible over HTTPS, affecting supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and at the time of analysis no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Coherence HTTPS endpoint
Delivery
Send crafted unauthenticated request
Exploit
Exploit Core component flaw
Execution
Achieve Coherence takeover
Persist
Read/modify cached data
Impact
Pivot into Fusion Middleware tier

Vulnerability AssessmentAI

Exploitation Network reachability to an Oracle Coherence HTTPS-exposed endpoint on a supported version (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0) is the only stated prerequisite - no authentication, no user interaction, and no special configuration are required per the CVSS vector AV:N/AC:L/PR:N/UI:N and Oracle's 'easily exploitable' wording. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to high real-world priority: CVSS 3.1 is 9.8 with AV:N/AC:L/PR:N/UI:N, meaning trivial network exploitation with no authentication and no user interaction, plus full C/I/A impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reachable on the network sends a crafted HTTPS request to an exposed Oracle Coherence endpoint and, without supplying credentials or requiring user interaction, gains control of the Coherence instance - enabling cache data theft or tampering and likely code execution within the Fusion Middleware tier. From there the attacker can pivot into application back-ends that rely on the cache for session, identity, or business state. …
Remediation Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html for each affected Coherence release line (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0); Oracle does not generally publish standalone hotfixes outside the CPU stream, so the CPU patch is the authoritative fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running affected Coherence versions; isolate from untrusted networks and restrict administrative access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-35304 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy