HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35304Published Modified CNA oracle

CVE-2026-35304: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core)

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical unauthenticated remote code execution vulnerability affects the Core component of Oracle Coherence (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0), part of Oracle Fusion Middleware. An attacker reachable over HTTPS needs no credentials and no victim interaction to exploit it. Successful exploitation results in full takeover of the Oracle Coherence instance, including arbitrary code execution with all associated confidentiality, integrity, and availability impacts. No fix version has been published yet; HarborGuard tracks the upstream advisory and will surface a patched-image rebuild the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-35304 is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer images, including custom-built images that layer Oracle Coherence into their own base. Any image in a connected registry or CI pipeline carrying an affected version is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle ships a corrected release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once that fix is available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Coherence service over the network via HTTPS; no local or physical access to the host is needed.

  • AuthenticationNot required

    No credentials of any kind are required; the vulnerability is exploitable by a completely unauthenticated attacker.

  • Victim interactionNot required

    The attacker does not need any user or administrator to take any action; exploitation is fully attacker-driven.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

Blast Radius

  • A successful attacker gains the ability to execute arbitrary code in the context of the Oracle Coherence process, achieving full host-level takeover.
  • All data accessible to the Coherence instance, including cached application data and secrets, can be read by the attacker.
  • The attacker can modify or delete any data held or managed by the Coherence cluster, corrupting application state and persisted records.
  • The attacker can crash or permanently disable the Coherence service, causing a full denial of availability for any application that depends on it.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-35304, the platform monitors the Oracle advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment Oracle publishes a fix. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression test run and a PR opened against affected workloads, without requiring manual action. In the interim, HarborGuard recommends applying network-policy controls to restrict inbound HTTPS access to Coherence cluster ports to known and trusted sources only, using egress filtering to limit lateral movement if a node is compromised, and evaluating whether Coherence cluster membership can be isolated to a dedicated network segment or namespace. All affected image findings are surfaced in the HarborGuard dashboard with a severity of CRITICAL, and compliance-policy alerting is available to ensure the right teams are notified immediately.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Coherence
    12.2.1.4.0 · 14.1.1.0.0 · 14.1.2.0.0 · 15.1.1.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References