Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle states unauthenticated network exploitation over HTTPS with no UI leading to full product takeover, justifying AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H; scope unchanged as impact stays within Coherence.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote unauthenticated takeover of Oracle Coherence (Oracle Fusion Middleware) is possible over HTTPS, affecting supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and at the time of analysis no public exploit identified at time of analysis.
Technical ContextAI
Oracle Coherence is an in-memory data grid platform within Oracle Fusion Middleware, widely used for distributed caching, low-latency data access, and cluster-wide state management in Java/JEE environments. The advisory identifies the 'Core' component as the affected subsystem, which handles fundamental clustering, serialization, and management traffic. Historically, critical Coherence vulnerabilities have stemmed from unsafe Java deserialization or remoting endpoints exposed by the cluster - root-cause classes (CWE-502 deserialization or CWE-20 input validation) are not assigned in this entry, but the CPE 'cpe:2.3:a:oracle_corporation:oracle_coherence' confirms the affected product across all listed major release lines (12.2.1.x through 15.1.1.x).
RemediationAI
Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html for each affected Coherence release line (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0); Oracle does not generally publish standalone hotfixes outside the CPU stream, so the CPU patch is the authoritative fix. Until patching is complete, restrict network reachability of Coherence cluster, management, and extend/proxy ports (e.g., the default 9099 extend proxy and any HTTPS management endpoints) to trusted application-tier hosts via firewalls, security groups, or network segmentation - note that overly tight restrictions can break cluster member discovery and client connections, so coordinate with application owners. Where feasible, also enable Coherence's SSL/identity-based cluster authentication and disable any non-essential management or REST endpoints, accepting that this may require configuration changes to clients.
More in Oracle Coherence
View allRemote takeover of Oracle Coherence (Fusion Middleware) via the Centralized Third Party Jars component allows an unauthe
Remote takeover of Oracle Coherence is possible via HTTP by an unauthenticated network attacker, affecting Oracle Fusion
Remote takeover of Oracle Coherence (Fusion Middleware component) is possible by unauthenticated network attackers reach
Remote takeover of Oracle Coherence is possible by unauthenticated attackers with HTTP network access to affected Fusion
Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware, Centralized Third Party Jars
Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware) via HTTP allows attackers to
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37430