External risk intelligence

Oracle Coherence Critical Data Disclosure Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-35305

A critical vulnerability exists in Oracle Coherence, allowing unauthenticated attackers with network access to compromise the product and potentially impact other connected products. Successful exploitation could lead to unauthorized access to critical data or unauthorized modification of data.

Halo Surface Signal

Likely · external exposure

4Halo Surface Signal

Oracle Coherence is often deployed as a middleware layer or data grid supporting web applications and APIs. The vulnerability is explicitly exploitable via unauthenticated HTTP network access, making it a common target for internet-reachable service endpoints and application integrations.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle Coherence, a component within Oracle Fusion Middleware. This issue could allow unauthorized access to sensitive data or enable malicious modifications within the system. The nature of this vulnerability means that even though it exists within Oracle Coherence, it may have broader implications for other connected products.

  • Vulnerability impacts Oracle Coherence data access.
  • Critical flaw can lead to data breaches or unauthorized changes.
  • Confirm relevance and assess potential business exposure.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests over the network to an exposed Oracle Coherence instance. This could allow them to access, modify, or delete critical data within the system, potentially impacting other connected Oracle products.

  • No authentication needed.
  • Network access via HTTP.
  • Unauthorized data access or modification.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could expose sensitive data and allow unauthorized modifications to data within Oracle Coherence. An unauthenticated attacker with network access could exploit this to gain unauthorized access to critical information or alter existing data, impacting connected products due to the vulnerability's scope.

  • Critical data in Oracle Coherence.
  • Network access over HTTP.
  • Unauthorized data access and modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

The vulnerability in Oracle Coherence, an Oracle Fusion Middleware component, likely impacts application owners and platform teams responsible for its deployment and integration. The first practical step is to identify all instances of Oracle Coherence within the environment, assess their network accessibility and business criticality, and then determine the accountable owner for remediation.

  • Application and Platform teams own the issue.
  • Verify network exposure and business criticality.
  • Coordinate with Oracle for vendor patching.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35305 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Oracle Coherence vulnerability allows unauthenticated network access to compromise the product, potentially leading to unauthorized access to critical data or unauthorized data modification. This type of vulnerability is likely to cause a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle Coherence and where is it used?

Oracle Coherence is an in-memory data grid solution that acts as a middleware layer. Organizations use it to cache data and manage information across distributed applications, allowing systems to process large volumes of data quickly. It typically supports enterprise web applications and API architectures by serving as a high-performance, scalable data storage and processing engine.

How does this vulnerability work in CVE-2026-35305?

This issue is categorized under CWE-284, which refers to improper access control. In plain terms, the software fails to properly verify that a user has permission to perform actions. Because of this weakness, the system incorrectly trusts incoming requests, allowing unauthorized parties to access, modify, or delete sensitive information stored within the Coherence data grid.

Do I need to be logged in to trigger this bug?

No, authentication is not required to trigger this vulnerability. An attacker can reach the affected software component using standard HTTP network requests. Please note that this vulnerability requires network connectivity to the target; it is not triggered by internal administrative actions or local file manipulation that does not involve incoming network traffic.

Is my system at risk if it is not on the internet?

Halo Surface Signal identifies this as a high-priority risk because the vulnerability is exploitable via HTTP network access. While internet-facing instances are the most immediate concern, any Oracle Coherence instance accessible over an internal network remains at risk. You should evaluate the network reachability of your deployments to see if they are reachable from untrusted segments of your infrastructure.

What should I do first to manage this risk?

Begin by inventorying your environment to locate all running instances of Oracle Coherence version 15.1.1.0.0. Once identified, work with your platform and application teams to map the network access paths for these systems. Prioritize these instances based on their business importance and reachability, then coordinate directly with Oracle through their security guidance for official updates.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished