Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Oracle describes easy unauthenticated HTTP exploitation yielding full takeover with impact on adjacent products, justifying AV:N, AC:L, PR:N, UI:N, S:C and C/I/A:H.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle Coherence (Fusion Middleware) via the Centralized Third Party Jars component allows an unauthenticated network attacker over HTTP to fully compromise affected deployments, with scope change permitting impact on additional connected products. Supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 carry a maximum CVSS 3.1 base score of 10.0 across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
Oracle Coherence is an in-memory data grid and distributed caching platform commonly embedded within Oracle Fusion Middleware stacks (including WebLogic-based deployments) to provide low-latency state sharing and scalability for Java-based enterprise applications. The flaw resides in the 'Centralized Third Party Jars' component, which manages bundled third-party libraries shipped with Coherence; historically, such packaging surfaces in Oracle products (e.g., past Coherence CVEs CVE-2020-2555, CVE-2023-21931) have been tied to unsafe Java deserialization via T3/IIOP or HTTP-exposed endpoints in dependent libraries. The CPE 'cpe:2.3:a:oracle_corporation:oracle_coherence' confirms the Coherence product itself as the vulnerable component, while the CVSS scope change (S:C) indicates exploitation reaches authorization boundaries beyond Coherence - typical when Coherence is co-located with a hosting WebLogic server or other Fusion Middleware components. No CWE was assigned in the supplied data, so the precise root-cause class (deserialization, authentication bypass, or path traversal in the jar-handling logic) cannot be confirmed without the vendor advisory.
RemediationAI
Apply patches from the Oracle Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html for Oracle Coherence versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0; exact post-patch build numbers are listed in that advisory and should be cited from Oracle directly rather than inferred. Until the CPU can be applied, restrict network reachability to Coherence cluster ports and any HTTP management/REST endpoints to trusted management subnets via firewall or security-group ACLs (this will break external client-tier connectivity to the grid, so coordinate with application owners). If Coherence is fronted by WebLogic, ensure WebLogic listen addresses are bound to internal interfaces only and that T3/IIOP filters are enforced, accepting that legitimate remote management may be impacted. Inventory all Fusion Middleware hosts (including those bundling Coherence transitively) to ensure every embedded instance is patched, since unpatched co-resident copies remain exploitable.
More in Oracle Coherence
View allRemote takeover of Oracle Coherence is possible via HTTP by an unauthenticated network attacker, affecting Oracle Fusion
Remote takeover of Oracle Coherence (Fusion Middleware component) is possible by unauthenticated network attackers reach
Remote takeover of Oracle Coherence is possible by unauthenticated attackers with HTTP network access to affected Fusion
Remote unauthenticated takeover of Oracle Coherence (Oracle Fusion Middleware) is possible over HTTPS, affecting support
Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware, Centralized Third Party Jars
Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware) via HTTP allows attackers to
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37434