Description
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). The supported version that is affected is 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data as well as unauthorized update, insert or delete access to some of Oracle Coherence accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).
Published: 2026-06-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle Coherence 15.1.1.0.0 contains an Improper Access Control flaw (CWE‑284) that permits an unauthenticated attacker to access the service via HTTP. The vulnerability allows the attacker to read, insert, update, or delete data that is exposed through the Coherence cache, and may also expand the scope of impact to other products that depend on Coherence. This flaw can be exploited with minimal effort and no credential disclosure is required, leading to significant confidentiality and integrity loss.

Affected Systems

The affected product is Oracle Corporation’s Oracle Coherence component, version 15.1.1.0.0. The advisory notes that other Oracle Fusion Middleware products that rely on Coherence could also be indirectly impacted by the same flaw, although no additional specific products are listed.

Risk and Exploitability

The CVSS vector indicates a high severity rating of 9.3, with network access, low attack complexity, no privileges, no user interaction, and a change of scope that can expose more systems. The EPSS score is below 1 %, suggesting that exploitation may be uncommon in the wild, but the vulnerability is listed as not in the CISA KEV catalog. Nonetheless, because the attack requires only network connectivity to an exposed HTTP endpoint, and no authentication, the potential for compromise remains significant and warrants urgent attention.

Generated by OpenCVE AI on June 18, 2026 at 14:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Oracle’s latest security patch for Oracle Coherence 15.1.1.0.0 as distributed by Oracle
  • Restrict HTTP exposure of the Coherence service by limiting inbound connections to trusted hosts or via VPN or firewall rules
  • Enforce authentication and least‑privilege policies on Coherence data access to prevent unauthorized use

Generated by OpenCVE AI on June 18, 2026 at 14:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Access to Oracle Coherence via HTTP

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). The supported version that is affected is 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data as well as unauthorized update, insert or delete access to some of Oracle Coherence accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).
First Time appeared Oracle
Oracle coherence
CPEs cpe:2.3:a:oracle:coherence:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle coherence
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}


Subscriptions

Oracle Coherence
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T12:52:38.477Z

Reserved: 2026-04-01T20:03:40.837Z

Link: CVE-2026-35305

cve-icon Vulnrichment

Updated: 2026-06-17T12:51:49.180Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:30:15Z

Weaknesses