External risk intelligence

Oracle Coherence Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-35304

A critical vulnerability in Oracle Coherence, a component of Oracle Fusion Middleware, allows unauthenticated attackers with network access via HTTPS to take over the system. This presents significant risks to confidentiality, integrity, and availability. Confirmation of its presence and reachability within our environ

Missing Authentication

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Oracle Coherence is a middleware component often deployed in service-oriented architectures and web application backends. While it is not typically a direct public-facing edge gateway, it is commonly exposed to network segments that handle web traffic or external API requests, making it plausibly reachable via HTTPS in many enterprise application environments.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle Coherence, a middleware component used in Oracle Fusion Middleware. This issue, if exploited, could allow an attacker to completely take over the Oracle Coherence system without needing any prior authentication. The high CVSS score of 9.8 indicates significant impacts on confidentiality, integrity, and availability. The main concern at this stage is confirming the relevance and exposure of this technology within our environment.

Unauthenticated access can fully compromise Oracle Coherence.
It's a critical Oracle middleware component, widely used.
Confirm exposure and relevance to Oracle Coherence.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker with network access over HTTPS could exploit a vulnerability in Oracle Coherence. This would allow them to gain complete control of the Coherence system.

Attacker starts with network access.
Exploits Oracle Coherence Core component.
Results in full system takeover.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker with network access via HTTPS to compromise Oracle Coherence, potentially leading to a complete takeover of the system. This impacts confidentiality, integrity, and availability of the Coherence instance.

Oracle Coherence takeover.
Unauthenticated network access via HTTPS.
Full system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Oracle Coherence, accessible via HTTPS, requires immediate attention. The first practical step is to identify all deployments of the affected Oracle Coherence product, confirm their network reachability and business criticality, and then pinpoint the accountable owner to plan remediation.

Ownership: Application or platform teams.
Verify first: Identify and assess affected Coherence instances.
Action: Plan remediation based on exposure and criticality.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35304 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Oracle Coherence vulnerability allows an unauthenticated attacker to compromise the system, potentially leading to a takeover. Such vulnerabilities often result in automatic PCI ASV scan failures due to their severe impact on confidentiality, integrity, and availability.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle Coherence?

Oracle Coherence is a middleware product within Oracle Fusion Middleware. It provides distributed caching and data grid capabilities, allowing applications to store and manage large volumes of data in memory across multiple servers to improve performance and scalability in enterprise environments.

What does CWE-306 mean for CVE-2026-35304?

CWE-306 refers to Missing Authentication for Critical Function. In the context of this CVE, it means the Oracle Coherence system performs sensitive operations or allows access without verifying the user's identity first. Because this check is absent, an attacker can bypass security controls to interact with the core component directly.

How does an attacker trigger this vulnerability?

An attacker needs network access to the target Oracle Coherence instance and must be able to send requests via HTTPS. The vulnerability does not require any prior user accounts or valid credentials to execute. Note that access is strictly limited to network-reachable instances; internal systems isolated from broader network segments are not accessible in the same way.

Is my environment at risk from this CVE?

Halo Surface Signal indicates that while Oracle Coherence is middleware, it is often placed in network segments that handle web traffic or API requests, making it reachable via HTTPS. You should care if your Coherence instances are placed in these accessible network paths, as they are likely to be reachable by an attacker.

What should I do first to manage this risk?

Your first step is to locate all deployments of Oracle Coherence across your infrastructure. Once identified, evaluate whether these instances are reachable over the network via HTTPS and determine their business criticality. After assessing the exposure and importance of each deployment, coordinate with the specific application or platform team that owns the service to begin remediation planning.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.