Skip to main content

Oracle Coherence EUVDEUVD-2026-37434

| CVE-2026-35308 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
10.0
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
10.0 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
10.0 CRITICAL

Oracle describes easy unauthenticated HTTP exploitation yielding full takeover with impact on adjacent products, justifying AV:N, AC:L, PR:N, UI:N, S:C and C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:38 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle Coherence (Fusion Middleware) via the Centralized Third Party Jars component allows an unauthenticated network attacker over HTTP to fully compromise affected deployments, with scope change permitting impact on additional connected products. Supported versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 carry a maximum CVSS 3.1 base score of 10.0 across confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

Oracle Coherence is an in-memory data grid and distributed caching platform commonly embedded within Oracle Fusion Middleware stacks (including WebLogic-based deployments) to provide low-latency state sharing and scalability for Java-based enterprise applications. The flaw resides in the 'Centralized Third Party Jars' component, which manages bundled third-party libraries shipped with Coherence; historically, such packaging surfaces in Oracle products (e.g., past Coherence CVEs CVE-2020-2555, CVE-2023-21931) have been tied to unsafe Java deserialization via T3/IIOP or HTTP-exposed endpoints in dependent libraries. The CPE 'cpe:2.3:a:oracle_corporation:oracle_coherence' confirms the Coherence product itself as the vulnerable component, while the CVSS scope change (S:C) indicates exploitation reaches authorization boundaries beyond Coherence - typical when Coherence is co-located with a hosting WebLogic server or other Fusion Middleware components. No CWE was assigned in the supplied data, so the precise root-cause class (deserialization, authentication bypass, or path traversal in the jar-handling logic) cannot be confirmed without the vendor advisory.

RemediationAI

Apply patches from the Oracle Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html for Oracle Coherence versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0; exact post-patch build numbers are listed in that advisory and should be cited from Oracle directly rather than inferred. Until the CPU can be applied, restrict network reachability to Coherence cluster ports and any HTTP management/REST endpoints to trusted management subnets via firewall or security-group ACLs (this will break external client-tier connectivity to the grid, so coordinate with application owners). If Coherence is fronted by WebLogic, ensure WebLogic listen addresses are bound to internal interfaces only and that T3/IIOP filters are enforced, accepting that legitimate remote management may be impacted. Inventory all Fusion Middleware hosts (including those bundling Coherence transitively) to ensure every embedded instance is patched, since unpatched co-resident copies remain exploitable.

Share

EUVD-2026-37434 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy