Description
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A critical security flaw in Oracle Coherence allows an unauthenticated attacker to exploit the system over HTTPS, resulting in full takeover of the Coherence service. The vulnerability is classified as an authentication bypass (CWE-306) and can be leveraged to compromise confidentiality, integrity, and availability, producing a CVSS v3.1 base score of 9.8.

Affected Systems

The affected versions are Oracle Coherence 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0; these releases provide the Oracle Fusion Middleware component Core that is vulnerable.

Risk and Exploitability

The low EPSS score (<1%) indicates that exploitation is unlikely at the time of this analysis, yet the high CVSS score and lack of KEV listing mean the Coherence HTTPS interface is exposed with no user authentication; once the flaw is leveraged, the attacker can achieve full system compromise.

Generated by OpenCVE AI on June 18, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Oracle Coherence to the latest patched release that addresses the authentication bypass flaw
  • Restrict network access to the Coherence HTTPS endpoints using firewall rules or VPN so that only trusted hosts can reach them
  • Disable or remove any unused Coherence services or interfaces from exposed networks

Generated by OpenCVE AI on June 18, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTPS Authentication Bypass Allowing Full Oracle Coherence Takeover

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle coherence
CPEs cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle coherence
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Coherence
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-19T03:55:21.806Z

Reserved: 2026-04-01T20:03:40.837Z

Link: CVE-2026-35304

cve-icon Vulnrichment

Updated: 2026-06-17T13:01:03.874Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:00:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function