Skip to main content

Oracle Coherence EUVDEUVD-2026-37431

| CVE-2026-35305 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.3
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
9.3 CRITICAL

Description confirms unauthenticated network HTTP exploitation (AV:N/AC:L/PR:N/UI:N), scope change into adjacent products (S:C), full read of accessible data (C:H), partial write (I:L), and no availability impact (A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:36 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). The supported version that is affected is 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data as well as unauthorized update, insert or delete access to some of Oracle Coherence accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).

AnalysisAI

Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware) via HTTP allows attackers to read all accessible data and modify a subset, with a scope change that can impact adjacent products. CVSS 3.1 base score is 9.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N) and no public exploit is identified at time of analysis, though the low attack complexity and unauthenticated network reachability make this a high-priority Critical Patch Update item.

Technical ContextAI

Oracle Coherence is an in-memory data grid used as a distributed caching and computation layer within Oracle Fusion Middleware deployments, frequently fronted by WebLogic and exposed via HTTP-based management and proxy services. The flaw lives in the 'Centralized Third Party Jars' component, indicating a defect in a bundled third-party library reachable through Coherence's HTTP interface; the scope-change flag (S:C) implies the vulnerable Coherence process can act on resources beyond its own security authority, typically meaning the surrounding JVM/container or co-located Fusion Middleware components are reachable from a successful exploit. No CWE has been assigned by Oracle, but the 'Authentication Bypass' tag combined with PR:N/UI:N and the third-party-jar component points to a pre-authentication parsing or routing flaw in a shared library rather than a Coherence-native protocol bug.

RemediationAI

Apply the patch shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) for Oracle Coherence 15.1.1.0.0 - patch availability is confirmed via the Oracle CPU advisory, though no standalone fix version string is published outside of the CPU bundle, so install the CPU as the primary remediation. Until patched, restrict network reachability of Coherence HTTP/proxy listeners (default 7574 cluster, plus any Coherence*Extend or HTTP management endpoints) to trusted management subnets via firewall or service-mesh policy, and ensure the Coherence process is not exposed to the public internet or untrusted tenants; this will block remote unauthenticated reach but may disrupt cross-datacenter clients and remote Extend consumers, so test against application topology first. If a third-party JAR can be identified from the Oracle README once available, consider replacing or removing the vulnerable library as a secondary control, accepting that Oracle may not support a Coherence installation with modified bundled dependencies.

Share

EUVD-2026-37431 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy