External risk intelligence

Oracle Coherence Network Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-35308

A critical vulnerability in Oracle Coherence allows unauthenticated attackers with network access to potentially take over the system, impacting connected products. This issue is reachable via HTTP and could lead to complete system compromise.

Oracle Coherence

12.2.1.4.014.1.1.0.014.1.2.0.015.1.1.0.0

Halo Surface Signal

Possible · external exposure

3Halo Surface Signal

Oracle Coherence is typically used as an in-memory data grid for backend application caching and distributed computing. While it supports HTTP access and can be exposed, it is generally intended for internal service-to-service communication or private application tiers rather than being a public-facing edge service or web application.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle Coherence, a component within Oracle Fusion Middleware. This issue could allow an attacker to gain complete control of the system without authentication, potentially impacting other connected products due to its scope.

Attackers can fully control Coherence without credentials.
This critical flaw could impact connected systems.
Confirm relevance and exposure to Oracle Coherence.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending unauthenticated network requests to an exposed Oracle Coherence instance. If successful, this could lead to a complete takeover of the Coherence environment, potentially impacting other connected products.

No authentication required.
Triggered via network access over HTTP.
Leads to complete system takeover.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Coherence, potentially leading to a takeover of the service. Attacks may also impact additional products when supported.

Oracle Coherence service data.
Network access via HTTP.
Complete takeover of the service.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Oracle Coherence, a component of Oracle Fusion Middleware, likely impacts application owners and platform teams responsible for managing data grids and backend services. The initial focus should be on identifying all deployments of affected Oracle Coherence versions, determining their network accessibility, confirming business criticality, and locating the accountable owner to initiate a risk-based remediation plan.

Owner: Application and platform teams.
Verify: Network reachability and asset criticality.
Action: Plan remediation based on risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35308 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This Oracle Coherence vulnerability allows unauthenticated network attackers to achieve full takeover, which would cause a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle Coherence?

Oracle Coherence is an in-memory data grid used within Oracle Fusion Middleware. It provides distributed caching and computational capabilities, allowing applications to store and process large amounts of data across multiple servers. It is a fundamental component for managing data-heavy backend services and distributed computing tasks.

What does CVE-2026-35308 mean for system security?

This vulnerability falls under the weakness class of Improper Access Control (CWE-284). In plain terms, it means the software fails to properly restrict who can access its functions. Because of this flaw, an unauthorized person can send network requests to the system and gain full control over the Oracle Coherence environment without needing any credentials or login permissions.

How can an attacker trigger this vulnerability?

An attacker triggers the vulnerability by sending specific network requests over HTTP to an affected Oracle Coherence instance. No interaction or authentication is required from a legitimate user. It is important to note that the issue specifically relates to network-accessible services; local, non-networked operations are not the intended target of this remote communication path.

Is my Oracle Coherence instance at high risk?

Halo Surface Signal indicates that while Oracle Coherence often serves internal roles like backend caching, it can be misconfigured as internet-facing. If your instance is reachable from a public network, it faces a higher level of risk. Even if your Coherence instance is internal, it remains a critical concern because the vulnerability allows for a full system takeover, which can compromise other connected products.

What steps should I take if I run Oracle Coherence?

Start by identifying all instances of the affected versions within your infrastructure. Once located, assess their network configuration to confirm if they are reachable from untrusted zones. Prioritize these assets based on their criticality to your business operations and coordinate with your platform teams to plan the necessary security updates provided by the vendor.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.