CVE-2026-35306 - Vulnerability Details

Description

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). The supported version that is affected is 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data as well as unauthorized update, insert or delete access to some of Oracle Coherence accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).

Published: 2026-06-16

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in a Centralized Third Party Jars component of Oracle Coherence, allowing an unauthenticated attacker with network access via HTTP to gain unauthorized access to Coherence data and to perform unauthorized update, insert, or delete operations. This leads to significant confidentiality and integrity compromise by revealing all accessible data and permitting manipulation of that data.

Affected Systems

Oracle Coherence version 15.1.1.0.0 is impacted; because the vulnerability can change scope, additional products in Oracle Fusion Middleware may also be affected.

Risk and Exploitability

The CVSS v3.1 base score of 9.3 indicates a high severity with confidentiality impact and moderate integrity impact; the EPSS score is below 1%, suggesting low current exploitation probability, and the issue is not listed in CISA KEV. However, the attack vector is a network-facing HTTP endpoint that requires no authentication, making the threat significant for organizations that expose Coherence services to the network.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Coherence

affected

Version	Status	Constraints
`15.1.1.0.0`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Coherence

95%

Version	Status	Scheme	Platform
`15.1.1.0.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Oracle security update or upgrade Oracle Coherence to a non‑affected version to remove the vulnerable component.
Restrict network access to the Coherence HTTP endpoint, allowing traffic only from trusted hosts or placing the service behind a VPN or firewall rules.
If a patch is not immediately available, monitor all HTTP traffic for suspicious activity and enforce strict authentication and authorization controls on exposed interfaces.

Generated by OpenCVE AI on June 17, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00354.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). The supported version that is affected is 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data as well as unauthorized update, insert or delete access to some of Oracle Coherence accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).
First Time appeared		Oracle Oracle coherence
CPEs		cpe:2.3:a:oracle:coherence:15.1.1.0.0:::::::*
Vendors & Products		Oracle Oracle coherence
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}`

Subscriptions

Oracle Coherence

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:06.303Z

Updated: 2026-06-17T15:38:58.497Z

Reserved: 2026-04-01T20:03:40.837Z

Link: CVE-2026-35306

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T22:15:03Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object