Skip to main content

Oracle Coherence CVE-2026-35309

| EUVDEUVD-2026-37435 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Vendor confirms unauthenticated network HTTP exploitation with low complexity and no user interaction, resulting in full product takeover, justifying PR:N/UI:N and C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:38 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle Coherence is possible by unauthenticated attackers with HTTP network access to affected Fusion Middleware deployments running versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0. The flaw resides in the Centralized Third Party Jars component and carries a critical 9.8 CVSS score with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the trivial attack profile and Oracle's CPU disclosure pattern make weaponization likely.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Coherence HTTP listener
Delivery
Send crafted HTTP request to Third Party Jars endpoint
Exploit
Trigger unauthenticated code path
Execution
Execute arbitrary code as service user
Persist
Establish persistence in middleware tier
Impact
Pivot to cached data and cluster nodes

Vulnerability AssessmentAI

Exploitation Per the CVSS vector AV:N/AC:L/PR:N/UI:N, no special conditions are required beyond network HTTP reachability to an Oracle Coherence instance running 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0; the attacker needs neither credentials nor user interaction. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All CVSS signals point to maximum real-world risk: AV:N/AC:L/PR:N/UI:N means a remote, unauthenticated attacker can exploit the issue over HTTP without user interaction or special conditions, and C:H/I:H/A:H confirms full system takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans for internet-reachable or internally exposed Oracle Coherence HTTP endpoints, then issues a single crafted HTTP request to the vulnerable Centralized Third Party Jars-handled path, achieving remote code execution as the Coherence/WebLogic process user and pivoting into cached business data, credentials, and the broader Fusion Middleware cluster. No authentication, user interaction, or chained vulnerabilities are required, and given Coherence's deployment role in financial, telecom, and government middleware stacks, a successful compromise typically yields high-value access.
Remediation Apply the Oracle Critical Patch Update for June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - the advisory ships fixes for all four affected versions (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0); patch available per vendor advisory, though specific post-patch version strings are not enumerated in the source data and should be confirmed against the CPU patch matrix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Oracle Coherence deployments and their network accessibility; isolate affected instances from untrusted networks where operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-35309 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy