Skip to main content

Oracle Coherence EUVDEUVD-2026-37432

| CVE-2026-35306 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.3
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
9.3 CRITICAL

Remote HTTP exploitation with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); scope change to adjacent Fusion Middleware products, full data disclosure (C:H), limited write (I:L), no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:36 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). The supported version that is affected is 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data as well as unauthorized update, insert or delete access to some of Oracle Coherence accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).

AnalysisAI

Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware, Centralized Third Party Jars component) allows network-based attackers to read all Coherence-accessible data and perform limited data modification over HTTP, with a scope change that can impact additional products in the same deployment. Oracle rates the issue CVSS 9.3 and describes it as easily exploitable; no public exploit identified at time of analysis and it is not currently on the CISA KEV list.

Technical ContextAI

Oracle Coherence is an in-memory data grid used inside Oracle Fusion Middleware for distributed caching, session replication, and clustered application state, frequently fronted by WebLogic and other Fusion Middleware tiers. The affected component is 'Centralized Third Party Jars', meaning the flaw lives in bundled third-party libraries shipped with Coherence rather than core Coherence code, which is a recurring pattern (e.g. T3/IIOP and serialization library issues) historically seen in Fusion Middleware. No CWE was assigned in the input, but the CVSS profile (AV:N/AC:L/PR:N/UI:N, scope change, high confidentiality, low integrity, no availability impact) combined with the 'Authentication Bypass' tag and CPE cpe:2.3:a:oracle_corporation:oracle_coherence is most consistent with an authentication / access-control bypass over an HTTP-exposed Coherence management or data interface, allowing cross-trust-boundary access to data managed for other Fusion Middleware products.

RemediationAI

Apply the Oracle Critical Patch Update referenced in https://www.oracle.com/security-alerts/cspujun2026.html for Oracle Coherence 15.1.1.0.0 as soon as possible; this is the vendor-released patch and Oracle classifies the issue as easily exploitable, so it should be prioritized in the next emergency change window. Until the CPU can be deployed, restrict network access to Coherence cluster ports and any HTTP-exposed Coherence management/REST endpoints to a trusted management subnet via firewall or security group rules, and place WebLogic/Fusion Middleware tiers using Coherence behind authenticating reverse proxies - note this can break legitimate cross-datacenter cluster traffic and management tooling and should be tested. If feasible, disable or unbind any Coherence REST/HTTP management services that are not strictly required and audit Centralized Third Party Jars versions against Oracle's advisory, accepting that some Fusion Middleware features depending on those jars may degrade. Do not rely on perimeter controls alone given the scope-change impact on adjacent products.

Share

EUVD-2026-37432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy