HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35305Published Modified CNA oracle

CVE-2026-35305: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars)

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars). The supported version that is affected is 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Coherence accessible data as well as unauthorized update, insert or delete access to some of Oracle Coherence accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).

Metrics

CVSS v3.1
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated network-exploitable vulnerability exists in Oracle Coherence 15.1.1.0.0 (Fusion Middleware, Centralized Third Party Jars component), reachable over HTTP without any credentials or user interaction. The flaw carries a CVSS 3.1 score of 9.3 (Critical) and has a scope-change characteristic, meaning successful exploitation can spill over into systems beyond Oracle Coherence itself. Exploitation gives an attacker full read access to all data Oracle Coherence can reach and limited write access, including unauthorized insert, update, and delete operations. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection of CVE-2026-35305 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle Coherence 15.1.1.0.0 or its third-party jar dependencies. Any image in a connected registry or CI pipeline that carries the affected component surfaces immediately in the HarborGuard findings dashboard.

Available
Triage

Triage is available with the full CVSS 3.1 score of 9.3 (Critical) pre-populated, and each finding can be weighted further against per-environment compliance policies to reflect organizational risk tolerance. Routing rules within each customer org determine which team inbox or ticketing system receives the alert, so the right engineers see it without manual filtering.

Available
Patch

No fix version has been published by Oracle for CVE-2026-35305 as of the CVE publication date, so no patched-image rebuild is available yet. HarborGuard re-checks the upstream advisory on every ingest cycle and will automatically make a rebuilt image available the moment Oracle ships a patch, triggering the standard rebuild-and-PR flow for customers with auto-remediation enabled.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Coherence HTTP endpoint over the network; no physical or local access is needed.

  • AuthenticationNot required

    No credentials of any privilege level are required; the vulnerability is exploitable by any unauthenticated party with network access.

  • Victim interactionNot required

    The attacker does not need to trick or involve any user; exploitation is fully attacker-driven.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental preparation.

Blast Radius

  • Reads all data accessible to Oracle Coherence, including cached objects, session tokens, and any sensitive records stored or passing through the cluster.
  • Writes unauthorized inserts, updates, or deletes to a subset of Oracle Coherence accessible data, allowing limited data tampering or poisoning of cached state.
  • Because the CVSS scope is changed, compromise can extend beyond Oracle Coherence itself, potentially affecting other Fusion Middleware components or downstream systems that trust Coherence-provided data.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-35305 is active across all connected customer registries and CI pipelines, matching any image that carries Oracle Coherence 15.1.1.0.0 or the affected third-party jar. Because Oracle has not yet published a fix version, no patched-image rebuild is available at this time. HarborGuard monitors the upstream advisory on every ingest cycle and will surface a rebuilt image automatically the moment a fix is released. In the interim, compensating controls worth considering include network-policy isolation to restrict HTTP access to the Coherence endpoint to known internal sources only, egress filtering to limit what Coherence can reach if exploited, and, where operationally feasible, disabling or gating any Coherence features that expose the affected third-party component. For customers with auto-remediation enabled, the rebuild-plus-regression-run-plus-PR flow will activate automatically once a fix version is published, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes in environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Coherence
    15.1.1.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
References