Description
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Oracle Coherence allows an unauthenticated attacker with network access via HTTP to compromise the system, potentially leading to a full takeover. The flaw results in total loss of confidentiality, integrity, and availability, as reflected by the CVSS 3.1 score of 9.8. The short attack vector and lack of required privileges highlight the severity of the weakness, which likely stems from improper access control or authentication checks within the core component.

Affected Systems

The affected products are Oracle Corporation’s Oracle Coherence across versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0. Administrators of these installations should verify which version is in use and plan for remediation.

Risk and Exploitability

The high CVSS score indicates a critical risk, though the EPSS score of less than 1% suggests that exploitation has not been widely observed yet. The vulnerability is not listed in CISA’s KEV catalog, but the potential for remote takeover remains significant. Attackers would need only an unauthenticated HTTP connection to attempt exploitation, underscoring the importance of patching or implementing network restrictions.

Generated by OpenCVE AI on June 17, 2026 at 20:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Oracle’s latest patch or upgrade to a version that addresses the vulnerability as detailed in the official Oracle security alert.
  • Restrict access to Oracle Coherence’s HTTP ports using firewalls or security group rules to limit exposure to trusted networks.
  • Ensure that all remote management interfaces are disabled or protected by strong authentication mechanisms, preventing unauthenticated access.

Generated by OpenCVE AI on June 17, 2026 at 20:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle coherence
CPEs cpe:2.3:a:oracle:coherence:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:14.1.1.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:14.1.2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:coherence:15.1.1.0.0:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle coherence
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Coherence
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:38:16.450Z

Reserved: 2026-04-01T20:03:40.837Z

Link: CVE-2026-35310

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:00:12Z

Weaknesses

No weakness.