Description
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in Oracle Coherence’s Centralized Third Party Jars component. An unauthenticated attacker who can reach the Coherence HTTP interface can exploit the weakness and take full control of the application. The exploitation can compromise confidentiality, integrity, and availability, allowing the attacker to execute arbitrary code and potentially disrupt service.

Affected Systems

Oracle Coherence versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 are affected. The product is provided by Oracle Corporation and is part of the Oracle Fusion Middleware stack.

Risk and Exploitability

The CVSS score of 9.8 reflects a critical severity with no authentication required (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The EPSS score is less than 1%, indicating a low predicted exploitation probability at the moment, but the vulnerability is publicly known and listed in Oracle’s June 2026 security advisory. The attack vector is inferred to be via direct HTTP requests to the Coherence service, which is reachable over the network and does not require credentials. This means an external attacker could potentially compromise the system without any additional access rights.

Generated by OpenCVE AI on June 17, 2026 at 18:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle Coherence patch or upgrade to a supported version as detailed in Oracle’s June 2026 security advisory
  • Restrict inbound HTTP traffic to the Coherence service by configuring firewall rules or network segmentation to allow only trusted hosts
  • Disable or secure the HTTP management interface if it is not required for normal operations
  • Monitor system logs for unusual HTTP activity that could indicate exploitation attempts

Generated by OpenCVE AI on June 17, 2026 at 18:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle coherence
CPEs cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle coherence
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Coherence
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:38:26.122Z

Reserved: 2026-04-01T20:03:40.837Z

Link: CVE-2026-35309

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T04:15:02Z

Weaknesses

No weakness.