External risk intelligence

Oracle Coherence Takeover Vulnerability via HTTP

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-35309

A critical vulnerability in Oracle Coherence allows unauthenticated attackers with network access to compromise the system via HTTP, potentially leading to a complete takeover. This impacts confidentiality, integrity, and availability.

Oracle Coherence

12.2.1.4.014.1.1.0.014.1.2.0.015.1.1.0.0

Halo Surface Signal

Possible · external exposure

3Halo Surface Signal

Oracle Coherence is a data grid solution typically deployed in backend, internal application clusters rather than directly on the public internet. While the vulnerability is reachable via HTTP and could be exposed if misconfigured, standard architectural patterns place such middleware within protected internal networks, making public internet exposure a less common deployment scenario.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle Coherence, a component within Oracle Fusion Middleware, which could allow an unauthenticated attacker to compromise the system. This issue allows for easy exploitation over the network and could lead to a complete takeover of the Oracle Coherence environment, impacting confidentiality, integrity, and availability.

  • Attackers can take over Coherence remotely.
  • This affects core business data infrastructure.
  • Confirm relevance and assess your exposure.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending network requests to an exposed Oracle Coherence instance. Because the vulnerability lies within the handling of centralized third-party JAR files, successful exploitation would allow the attacker to gain control over the Coherence environment. This could lead to a complete takeover of the system, impacting its confidentiality, integrity, and availability.

  • No authentication required for attack.
  • Network access via HTTP.
  • Complete system takeover.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker with network access could compromise Oracle Coherence, potentially leading to a complete takeover of the system. This vulnerability affects systems running specific supported versions of Oracle Coherence and can be exploited via HTTP.

  • Oracle Coherence systems.
  • Unauthenticated network access.
  • Complete system takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

The identified vulnerability impacts Oracle Coherence, a component often managed by platform or infrastructure teams, with potential involvement from application owners if Coherence is embedded within their applications. The initial step should be to locate all instances of the affected Oracle Coherence deployments, assess their reachability from external networks, and confirm their criticality to business operations. Subsequently, the accountable owner for each instance must be identified to plan remediation actions based on risk.

  • Identify Oracle Coherence instances and owners.
  • Verify network reachability and business criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35309 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows an unauthenticated attacker to take over Oracle Coherence, which would likely result in a PCI ASV scan failure due to its severe impact.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle Coherence and where is it used?

Oracle Coherence is an in-memory data grid solution that serves as a high-performance caching and processing layer for enterprise applications. It is frequently used within Oracle Fusion Middleware environments to manage, store, and provide rapid access to large volumes of frequently used data across distributed clusters, helping back-end systems scale efficiently.

What kind of security weakness is CVE-2026-35309?

This vulnerability is classified as an improper access control issue. In plain terms, it means the software fails to properly restrict or verify who is allowed to interact with specific internal components—in this case, centralized third-party libraries. Because of this, an unauthorized person can send specially crafted HTTP requests to the system, bypassing intended protections to gain control over the affected infrastructure.

How does an attacker trigger this vulnerability?

An attacker triggers this flaw by sending malicious HTTP requests directly to the targeted Oracle Coherence service. Crucially, the attacker does not need any valid login credentials or prior access to the system to initiate the attack. However, the attack requires the ability to reach the service over the network; if the service is not listening on an accessible port, the vulnerability cannot be exploited.

Is my Oracle Coherence deployment at risk?

While the vulnerability is severe, Halo Surface Signal notes that Oracle Coherence is typically deployed within protected, internal backend application clusters rather than directly on the public internet. You should care most if your specific architecture exposes these HTTP interfaces to broader networks, which increases the likelihood of unauthorized reachability.

What are the first steps to address this CVE?

Start by identifying all instances of Oracle Coherence running in your environment and determining their role and business criticality. Review your network configuration to verify if any instances are inadvertently reachable from external networks. Once you have an inventory of affected systems and their network exposure, coordinate with the designated owners to prioritize remediation based on the specific risk each instance presents.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished