External risk intelligence

Oracle Coherence Takeover Vulnerability via HTTP

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-35307

A critical vulnerability exists in Oracle Coherence, a component of Oracle Fusion Middleware, allowing unauthenticated attackers with network access via HTTP to potentially take over the system. Successful exploitation could significantly impact other connected products.

Oracle Coherence

12.2.1.4.014.1.1.0.014.1.2.0.015.1.1.0.0

Halo Surface Signal

Possible · external exposure

3Halo Surface Signal

Oracle Coherence is a data grid solution typically used in backend or clustered environments. While this vulnerability is reachable via HTTP, these components are not standard for direct public internet exposure. Exposure is possible in specific service-oriented architectures or due to misconfiguration, but it is not the intended design for this middleware.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle Coherence, a component within Oracle Fusion Middleware. This issue is easily exploitable by unauthenticated attackers over the network and could lead to a complete takeover of the Coherence system, potentially impacting other connected products.

  • Vulnerability allows attackers to take over Coherence.
  • Critical flaw affects backend data grid technology.
  • Confirm relevance and scope of Oracle Coherence.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker with network access can target Oracle Coherence through HTTP, potentially leading to a complete takeover of the component and impacting other products.

  • No authentication required.
  • Network access via HTTP.
  • Full system takeover.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker with network access to completely take over Oracle Coherence. When supported by the advisory, this could extend to impacting additional products integrated with Coherence, leading to broad system compromise.

  • Oracle Coherence system data.
  • Network access via HTTP.
  • Takeover of the Coherence system.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Oracle Coherence component within Oracle Fusion Middleware is susceptible to a critical, easily exploitable vulnerability. This impacts backend or clustered environments, and while reachable via HTTP, direct public internet exposure is not the intended design. Teams responsible for Oracle Fusion Middleware, application owners, and potentially platform or infrastructure teams should collaborate to identify affected systems, assess their reachability and business criticality, and then prioritize remediation efforts.

  • Identify Oracle Coherence instances.
  • Verify network exposure and impact.
  • Plan risk-based remediation.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35307 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Oracle Coherence allows unauthenticated attackers with network access to compromise the product, likely causing a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle Coherence?

Oracle Coherence is an in-memory data grid solution that serves as a caching and data management layer within Oracle Fusion Middleware. It is designed to store, manage, and process large volumes of data across distributed clusters, allowing applications to access information quickly. It typically supports high-performance, scalable backend environments where data must be shared reliably among multiple services.

What does CWE-284 mean for CVE-2026-35307?

CWE-284 identifies an improper access control weakness. In the context of CVE-2026-35307, this means the software fails to properly verify the identity or permissions of a user attempting to interact with the system. Because this protection is missing, an unauthorized person can perform actions they are not supposed to, leading to the full takeover of the Coherence component.

How can an attacker trigger this vulnerability?

An attacker triggers this bug by sending specific HTTP requests to the targeted Oracle Coherence component over the network. Crucially, this attack does not require any prior authentication, meaning no valid login credentials or sessions are needed to initiate the exploit. Access is granted simply through the network path used for HTTP communication.

Do I need to worry if my system is internal?

Halo Surface Signal notes that while this vulnerability is reachable via HTTP, Oracle Coherence is generally used in backend environments and is not intended for direct public internet exposure. While this makes external attacks less common by design, you should still evaluate if any misconfigurations in your service-oriented architecture have inadvertently made these internal components reachable from broader network segments.

Is there a first step to take for this vulnerability?

Start by identifying all deployed instances of Oracle Coherence across your infrastructure to determine which versions are in use. Once you have a list of affected systems, prioritize them based on their business importance and actual network accessibility. Collaborate with your platform and infrastructure teams to plan and apply the necessary security updates provided by the vendor to close the access control gap.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished