Description
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Core component of Oracle Coherence, part of Oracle Fusion Middleware, and allows an unauthenticated attacker with network access via HTTP to execute arbitrary code and seize full control of the installation. Because the scope is changed by the flaw, it can also compromise additional applications that depend on Coherence, resulting in loss of confidentiality, integrity, and availability for the target system.

Affected Systems

Oracle Coherence versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0 are affected. These releases are distributed as part of Oracle Fusion Middleware and are listed in the Oracle security advisory released in June 2026.

Risk and Exploitability

The CVSS base score is 10 and the EPSS score is less than 1%, indicating a highly exploitable flaw that is easy to use but currently has a low exploitation probability. The attack vector is network‑based over HTTP, requires no authentication or user interaction, and because the vulnerability changes scope the damage can affect an entire Coherence cluster or any integrated applications. The vulnerability is not yet listed in CISA's KEV catalog, but its severity warrants prompt remediation.

Generated by OpenCVE AI on June 17, 2026 at 18:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and apply the official Oracle patch that addresses CVE-2026-35307.
  • Restrict HTTP access to Oracle Coherence to trusted networks or block untrusted IPs via firewalls and network segmentation.
  • Configure Coherence to require authentication for all HTTP endpoints, or disable the HTTP interface if it is not used.
  • Monitor Coherence logs for anomalous or unexpected API requests and investigate any suspicious activity.

Generated by OpenCVE AI on June 17, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle coherence
CPEs cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle coherence
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Coherence
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:38:47.995Z

Reserved: 2026-04-01T20:03:40.837Z

Link: CVE-2026-35307

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T01:30:04Z

Weaknesses

No weakness.