Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Remote HTTP exploitation with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); scope change to adjacent Fusion Middleware products, full data disclosure (C:H), limited write (I:L), no availability impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). The supported version that is affected is 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data as well as unauthorized update, insert or delete access to some of Oracle Coherence accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).
AnalysisAI
Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware, Centralized Third Party Jars component) allows network-based attackers to read all Coherence-accessible data and perform limited data modification over HTTP, with a scope change that can impact additional products in the same deployment. Oracle rates the issue CVSS 9.3 and describes it as easily exploitable; no public exploit identified at time of analysis and it is not currently on the CISA KEV list.
Technical ContextAI
Oracle Coherence is an in-memory data grid used inside Oracle Fusion Middleware for distributed caching, session replication, and clustered application state, frequently fronted by WebLogic and other Fusion Middleware tiers. The affected component is 'Centralized Third Party Jars', meaning the flaw lives in bundled third-party libraries shipped with Coherence rather than core Coherence code, which is a recurring pattern (e.g. T3/IIOP and serialization library issues) historically seen in Fusion Middleware. No CWE was assigned in the input, but the CVSS profile (AV:N/AC:L/PR:N/UI:N, scope change, high confidentiality, low integrity, no availability impact) combined with the 'Authentication Bypass' tag and CPE cpe:2.3:a:oracle_corporation:oracle_coherence is most consistent with an authentication / access-control bypass over an HTTP-exposed Coherence management or data interface, allowing cross-trust-boundary access to data managed for other Fusion Middleware products.
RemediationAI
Apply the Oracle Critical Patch Update referenced in https://www.oracle.com/security-alerts/cspujun2026.html for Oracle Coherence 15.1.1.0.0 as soon as possible; this is the vendor-released patch and Oracle classifies the issue as easily exploitable, so it should be prioritized in the next emergency change window. Until the CPU can be deployed, restrict network access to Coherence cluster ports and any HTTP-exposed Coherence management/REST endpoints to a trusted management subnet via firewall or security group rules, and place WebLogic/Fusion Middleware tiers using Coherence behind authenticating reverse proxies - note this can break legitimate cross-datacenter cluster traffic and management tooling and should be tested. If feasible, disable or unbind any Coherence REST/HTTP management services that are not strictly required and audit Centralized Third Party Jars versions against Oracle's advisory, accepting that some Fusion Middleware features depending on those jars may degrade. Do not rely on perimeter controls alone given the scope-change impact on adjacent products.
More in Oracle Coherence
View allRemote takeover of Oracle Coherence (Fusion Middleware) via the Centralized Third Party Jars component allows an unauthe
Remote takeover of Oracle Coherence is possible via HTTP by an unauthenticated network attacker, affecting Oracle Fusion
Remote takeover of Oracle Coherence (Fusion Middleware component) is possible by unauthenticated network attackers reach
Remote takeover of Oracle Coherence is possible by unauthenticated attackers with HTTP network access to affected Fusion
Remote unauthenticated takeover of Oracle Coherence (Oracle Fusion Middleware) is possible over HTTPS, affecting support
Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware) via HTTP allows attackers to
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37432