Skip to main content

Oracle Coherence EUVDEUVD-2026-37433

| CVE-2026-35307 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
10.0
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Oracle advisory confirms unauthenticated HTTP exploitation with no user interaction; scope change and full takeover justify S:C and C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:37 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle Coherence is possible via HTTP by an unauthenticated network attacker, affecting Oracle Fusion Middleware versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. The flaw carries the maximum CVSS 3.1 base score of 10.0 with scope change, meaning successful exploitation can pivot impact into other products that rely on the Coherence cluster. No public exploit identified at time of analysis, but the trivial attack complexity and Oracle's critical scoring make this a top-priority patch item.

Technical ContextAI

Oracle Coherence is an in-memory data grid and distributed caching platform used as a clustering/state-management substrate for Oracle Fusion Middleware (WebLogic Server, SOA, WebCenter) and customer-built Java applications. The flaw resides in the Core component and is reachable over HTTP, which suggests an exposed management or cluster-protocol endpoint rather than the proprietary TCMP cluster protocol. Historically, Coherence and related Fusion Middleware components have suffered from unsafe Java deserialization (CWE-502) in T3/IIOP/HTTP listeners; with CWE unspecified here, deserialization or expression-language injection in an HTTP-accessible service is the most plausible root cause given AV:N/AC:L/PR:N and scope change to dependent products.

RemediationAI

Apply the patches distributed via Oracle's June 2026 Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html - Patch available per vendor advisory; exact post-patch version identifiers should be taken from the CPU advisory matrix for each supported branch (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0). Until patching, restrict network reachability to Coherence HTTP management and extend endpoints to trusted management subnets via firewall or WebLogic network channel ACLs, disable any unauthenticated HTTP-accessible Coherence REST or management services, and place a reverse proxy enforcing authentication in front of Coherence-fronted applications; note these controls may break legitimate management tooling or cross-datacenter cluster traffic and are not a substitute for the CPU patch. Monitor outbound connections and JVM child-process creation from Coherence/WebLogic JVMs as a detection compensating control.

Share

EUVD-2026-37433 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy