Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Oracle advisory confirms unauthenticated HTTP exploitation with no user interaction; scope change and full takeover justify S:C and C/I/A:H.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle Coherence is possible via HTTP by an unauthenticated network attacker, affecting Oracle Fusion Middleware versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries the maximum CVSS 3.1 base score of 10.0 with scope change, meaning successful exploitation can pivot impact into other products that rely on the Coherence cluster. No public exploit identified at time of analysis, but the trivial attack complexity and Oracle's critical scoring make this a top-priority patch item.
Technical ContextAI
Oracle Coherence is an in-memory data grid and distributed caching platform used as a clustering/state-management substrate for Oracle Fusion Middleware (WebLogic Server, SOA, WebCenter) and customer-built Java applications. The flaw resides in the Core component and is reachable over HTTP, which suggests an exposed management or cluster-protocol endpoint rather than the proprietary TCMP cluster protocol. Historically, Coherence and related Fusion Middleware components have suffered from unsafe Java deserialization (CWE-502) in T3/IIOP/HTTP listeners; with CWE unspecified here, deserialization or expression-language injection in an HTTP-accessible service is the most plausible root cause given AV:N/AC:L/PR:N and scope change to dependent products.
RemediationAI
Apply the patches distributed via Oracle's June 2026 Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html - Patch available per vendor advisory; exact post-patch version identifiers should be taken from the CPU advisory matrix for each supported branch (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0). Until patching, restrict network reachability to Coherence HTTP management and extend endpoints to trusted management subnets via firewall or WebLogic network channel ACLs, disable any unauthenticated HTTP-accessible Coherence REST or management services, and place a reverse proxy enforcing authentication in front of Coherence-fronted applications; note these controls may break legitimate management tooling or cross-datacenter cluster traffic and are not a substitute for the CPU patch. Monitor outbound connections and JVM child-process creation from Coherence/WebLogic JVMs as a detection compensating control.
More in Oracle Coherence
View allRemote takeover of Oracle Coherence (Fusion Middleware) via the Centralized Third Party Jars component allows an unauthe
Remote takeover of Oracle Coherence (Fusion Middleware component) is possible by unauthenticated network attackers reach
Remote takeover of Oracle Coherence is possible by unauthenticated attackers with HTTP network access to affected Fusion
Remote unauthenticated takeover of Oracle Coherence (Oracle Fusion Middleware) is possible over HTTPS, affecting support
Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware, Centralized Third Party Jars
Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware) via HTTP allows attackers to
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37433