HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35307Published Modified CNA oracle

CVE-2026-35307: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core)

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. While the vulnerability is in Oracle Coherence, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
10.0
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical unauthenticated remote code execution vulnerability affects the Core component of Oracle Coherence (versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0) in Oracle Fusion Middleware. The flaw is reachable over the network via HTTP with no credentials required and no user interaction needed, and it carries a scope-change rating meaning a successful attack can break out of the directly targeted component and affect other systems. Successful exploitation results in full takeover of the Oracle Coherence instance, giving an attacker read, write, and denial-of-service control. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection of CVE-2026-35307 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that layer Oracle Coherence. No manual configuration is needed for detection to engage.

Available
Triage

HarborGuard is capable of scoring this CVE at its full CVSS 3.1 severity of 10.0 (Critical) and weighting that score against each environment's compliance policy to surface it at the correct priority. Triage routing directs findings to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without requiring manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Coherence HTTP endpoint over the network; no local or physical access is needed, making any internet- or intranet-exposed instance directly at risk.

  • AuthenticationNot required

    No credentials of any kind are required; an anonymous attacker with network access can send a malicious HTTP request without first obtaining an account.

  • Victim interactionNot required

    The attack is fully server-side and completes without any action from a user or administrator on the target system.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and repeatable with no race conditions, special memory layout requirements, or other environmental preconditions to satisfy.

Blast Radius

  • A successful attacker achieves full takeover of the Oracle Coherence instance, reading all data held in the distributed cache including session tokens, application state, and any sensitive records stored by connected applications.
  • The attacker can write or delete arbitrary cache entries, corrupting application data and causing downstream services that depend on Coherence to behave incorrectly or serve tampered content.
  • The attacker can crash or indefinitely disrupt the Coherence service, causing denial of availability for all applications that rely on it for data distribution or coordination.
  • Because the CVSS scope is marked as changed, the attacker can leverage the compromised Coherence node to pivot and affect other products or services running in the same environment beyond Coherence itself.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of this advisory across all connected environments, with detection matching images against CVE-2026-35307 within minutes of each ingest cycle. Because Oracle has not yet published a fix version, no patched rebuild is currently available; HarborGuard re-evaluates the advisory on every cycle and will surface a rebuild automatically when Oracle ships a patch. In the interim, compensating controls worth reviewing include network-policy rules that restrict inbound HTTP access to Oracle Coherence ports to known trusted sources only, egress filtering to limit lateral movement if a node is compromised, and where operationally feasible, disabling or isolating Coherence cluster members that do not need to be internet-reachable. For customers with auto-remediation enabled, the moment a fix version is published the pipeline will rebuild affected images, run regression tests, and open a PR against impacted workloads without manual steps required.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Coherence
    12.2.1.4.0 · 14.1.1.0.0 · 14.1.2.0.0 · 15.1.1.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
References