Skip to main content

Oracle Coherence EUVDEUVD-2026-37435

| CVE-2026-35309 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Vendor confirms unauthenticated network HTTP exploitation with low complexity and no user interaction, resulting in full product takeover, justifying PR:N/UI:N and C/I/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:38 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle Coherence is possible by unauthenticated attackers with HTTP network access to affected Fusion Middleware deployments running versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0. The flaw resides in the Centralized Third Party Jars component and carries a critical 9.8 CVSS score with full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the trivial attack profile and Oracle's CPU disclosure pattern make weaponization likely.

Technical ContextAI

Oracle Coherence is an in-memory data grid platform used in Fusion Middleware deployments for distributed caching, computation, and event processing across clustered Java application servers. The vulnerable component, 'Centralized Third Party Jars,' refers to bundled third-party library dependencies shipped with Coherence - historically this packaging has been the source of deserialization and library-level flaws (e.g., prior Coherence CVEs tied to Java serialization in T3/IIOP/HTTP listeners). No CWE is assigned in the source data, but the CVSS profile (network, low complexity, no auth, full CIA impact, scope unchanged) combined with the 'Centralized Third Party Jars' surface is consistent with an unsafe-deserialization or expression-injection class flaw exposed over an HTTP endpoint.

RemediationAI

Apply the Oracle Critical Patch Update for June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - the advisory ships fixes for all four affected versions (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, 15.1.1.0.0); patch available per vendor advisory, though specific post-patch version strings are not enumerated in the source data and should be confirmed against the CPU patch matrix. If patching cannot be performed immediately, restrict network reachability of Coherence HTTP management and cluster ports (default management REST on 30000/HTTP, Extend proxy listeners, and any custom HTTP endpoints) to trusted management subnets only via firewall ACLs, which will break remote client/admin access from outside the allowlisted range. Where Coherence is fronted by an application server, disable or remove unused HTTP listeners and Centralized Third Party Jars-exposed endpoints, accepting that any client relying on those endpoints will lose connectivity until patched.

Share

EUVD-2026-37435 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy