Skip to main content

Oracle Coherence EUVDEUVD-2026-37430

| CVE-2026-35304 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle states unauthenticated network exploitation over HTTPS with no UI leading to full product takeover, justifying AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H; scope unchanged as impact stays within Coherence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:35 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote unauthenticated takeover of Oracle Coherence (Oracle Fusion Middleware) is possible over HTTPS, affecting supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and at the time of analysis no public exploit identified at time of analysis.

Technical ContextAI

Oracle Coherence is an in-memory data grid platform within Oracle Fusion Middleware, widely used for distributed caching, low-latency data access, and cluster-wide state management in Java/JEE environments. The advisory identifies the 'Core' component as the affected subsystem, which handles fundamental clustering, serialization, and management traffic. Historically, critical Coherence vulnerabilities have stemmed from unsafe Java deserialization or remoting endpoints exposed by the cluster - root-cause classes (CWE-502 deserialization or CWE-20 input validation) are not assigned in this entry, but the CPE 'cpe:2.3:a:oracle_corporation:oracle_coherence' confirms the affected product across all listed major release lines (12.2.1.x through 15.1.1.x).

RemediationAI

Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html for each affected Coherence release line (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0); Oracle does not generally publish standalone hotfixes outside the CPU stream, so the CPU patch is the authoritative fix. Until patching is complete, restrict network reachability of Coherence cluster, management, and extend/proxy ports (e.g., the default 9099 extend proxy and any HTTPS management endpoints) to trusted application-tier hosts via firewalls, security groups, or network segmentation - note that overly tight restrictions can break cluster member discovery and client connections, so coordinate with application owners. Where feasible, also enable Coherence's SSL/identity-based cluster authentication and disable any non-essential management or REST endpoints, accepting that this may require configuration changes to clients.

Share

EUVD-2026-37430 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy