HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-35310Published Modified CNA oracle

CVE-2026-35310: Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core)

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical unauthenticated remote takeover vulnerability exists in the Core component of Oracle Coherence, part of Oracle Fusion Middleware. The flaw is reachable over HTTP from any network location and requires no authentication or user interaction, derived from the CVSS vector AV:N/AC:L/PR:N/UI:N. Successful exploitation gives an attacker full control of the Oracle Coherence instance, including complete read, write, and availability impact. No fix version has been published by Oracle; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-35310 is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer images, including internally built images that layer Oracle Coherence components. Any image running an affected version (12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, or 15.1.1.0.0) will be flagged in both registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard triage for this CVE is available at CVSS 9.8 Critical severity, surfaced with full vector detail so engineers can assess scope quickly. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the Oracle advisory on every ingest cycle, typically several times per day. The moment Oracle publishes a patched release, a rebuilt image at that version becomes available, and customers with auto-remediation enabled will receive a regression-tested rebuild and an automatically opened PR against affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Coherence HTTP service over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    No credentials or account of any privilege level are required to trigger the vulnerability.

  • Victim interactionNot required

    The attack is fully server-side and completes without any action from a logged-in user or administrator.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable with no race conditions or special environmental factors required (AC:L).

Blast Radius

  • A successful attacker achieves full takeover of the Oracle Coherence instance, gaining the ability to read all data managed by the cluster, including cached application data and any secrets or session material stored there.
  • The attacker can write or delete arbitrary data within the Coherence data grid, corrupting application state or injecting malicious payloads consumed by downstream services.
  • The attacker can crash or render the Coherence service unavailable, disrupting any application that depends on the cluster for caching or distributed computation.
  • Because Coherence often acts as a shared data tier across multiple application services, a takeover can serve as a lateral-movement pivot into connected backend systems.

How HarborGuard Handles This

Available on HarborGuard: automatic detection of this Critical-severity advisory (CVSS 9.8) is active across all customer environments via continuous feed ingestion and image matching. Because Oracle has not yet published a fixed version, HarborGuard re-checks the advisory on every ingest cycle and will surface a patched-image rebuild the moment upstream ships a fix. For customers with auto-remediation enabled, that flow includes a regression-test run and a PR opened against affected workloads with no manual intervention required. In the interim, compensating controls worth evaluating include network-policy rules that restrict inbound HTTP access to the Coherence port to trusted application-tier sources only, egress filtering to limit what a compromised Coherence node can reach, and feature-flag or deployment-level disabling of Coherence endpoints that are not required for production operation. HarborGuard will emit a new finding event when the patched rebuild becomes available so affected environments are not left waiting on manual advisory monitoring.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Coherence
    12.2.1.4.0 · 14.1.1.0.0 · 14.1.2.0.0 · 15.1.1.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References