Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vendor confirms unauthenticated network HTTP exploitation with low complexity and no user interaction, resulting in full product takeover, justifying PR:N/UI:N and C/I/A:H.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote takeover of Oracle Coherence is possible by unauthenticated attackers with HTTP network access to affected Fusion Middleware deployments running versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0. The flaw resides in the Centralized Third Party Jars component and carries a critical 9.8 CVSS score with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the trivial attack profile and Oracle's CPU disclosure pattern make weaponization likely.
Technical ContextAI
Oracle Coherence is an in-memory data grid platform used in Fusion Middleware deployments for distributed caching, computation, and event processing across clustered Java application servers. The vulnerable component, 'Centralized Third Party Jars,' refers to bundled third-party library dependencies shipped with Coherence - historically this packaging has been the source of deserialization and library-level flaws (e.g., prior Coherence CVEs tied to Java serialization in T3/IIOP/HTTP listeners). No CWE is assigned in the source data, but the CVSS profile (network, low complexity, no auth, full CIA impact, scope unchanged) combined with the 'Centralized Third Party Jars' surface is consistent with an unsafe-deserialization or expression-injection class flaw exposed over an HTTP endpoint.
RemediationAI
Apply the Oracle Critical Patch Update for June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - the advisory ships fixes for all four affected versions (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0); patch available per vendor advisory, though specific post-patch version strings are not enumerated in the source data and should be confirmed against the CPU patch matrix. If patching cannot be performed immediately, restrict network reachability of Coherence HTTP management and cluster ports (default management REST on 30000/HTTP, Extend proxy listeners, and any custom HTTP endpoints) to trusted management subnets only via firewall ACLs, which will break remote client/admin access from outside the allowlisted range. Where Coherence is fronted by an application server, disable or remove unused HTTP listeners and Centralized Third Party Jars-exposed endpoints, accepting that any client relying on those endpoints will lose connectivity until patched.
More in Oracle Coherence
View allRemote takeover of Oracle Coherence (Fusion Middleware) via the Centralized Third Party Jars component allows an unauthe
Remote takeover of Oracle Coherence is possible via HTTP by an unauthenticated network attacker, affecting Oracle Fusion
Remote takeover of Oracle Coherence (Fusion Middleware component) is possible by unauthenticated network attackers reach
Remote unauthenticated takeover of Oracle Coherence (Oracle Fusion Middleware) is possible over HTTPS, affecting support
Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware, Centralized Third Party Jars
Unauthenticated remote compromise of Oracle Coherence 15.1.1.0.0 (Oracle Fusion Middleware) via HTTP allows attackers to
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37435