External risk intelligence

Oracle Coherence Remote Code Takeover Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-35310

A critical vulnerability in Oracle Coherence allows unauthenticated network attackers to compromise the system, potentially leading to a complete takeover. This impacts confidentiality, integrity, and availability. The reader should care because this could affect Oracle Coherence services and managed data if reachable.

Oracle Coherence

12.2.1.4.014.1.1.0.014.1.2.0.015.1.1.0.0

Halo Surface Signal

Possible · external exposure

3Halo Surface Signal

Oracle Coherence is typically used as an internal data grid, cache, or middleware component within application architectures. While it supports HTTP access, it is not commonly deployed as a public-facing internet service. It is plausibly reachable in some specific deployment configurations, but public internet exposure is not the standard design pattern.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle Coherence, a component within Oracle Fusion Middleware. This issue is easily exploitable by an unauthenticated attacker with network access, potentially leading to a complete takeover of the Coherence environment and impacting confidentiality, integrity, and availability.

  • Unauthenticated network access compromises Oracle Coherence.
  • Critical risk to data and systems if exposed.
  • Confirm relevance and potential exposure to Oracle Coherence.

Attack Path

How an attacker could exploit the issue

An attacker could reach Oracle Coherence over the network without needing any credentials. This is possible because the vulnerability exists in the Core component of Oracle Coherence, which is accessible via HTTP. If successful, this could lead to the attacker gaining full control of the Oracle Coherence instance.

  • Unauthenticated network access required.
  • Vulnerable Core component is triggered.
  • Full takeover of Oracle Coherence.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Oracle Coherence could allow an unauthenticated attacker with network access via HTTP to take over the system. This could affect the confidentiality, integrity, and availability of the Oracle Coherence service and any data it manages.

  • Oracle Coherence service and its data.
  • Via network access over HTTP.
  • Complete system takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

Oracle Coherence, a component of Oracle Fusion Middleware, presents a critical vulnerability that allows unauthenticated attackers to take complete control of the system via network access. The first practical step involves identifying all instances of Oracle Coherence, confirming their accessibility and business criticality, and then assigning ownership to an accountable team for risk-based remediation planning.

  • Identify and assign Coherence ownership.
  • Verify reachability and business criticality.
  • Plan risk-based remediation actions.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-35310 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This critical vulnerability in Oracle Coherence allows unauthenticated attackers to take over the system via network access. Its high impact on confidentiality, integrity, and availability makes it relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle Coherence?

Oracle Coherence is an in-memory data grid used by enterprises to store, manage, and cache large amounts of data across multiple servers. It acts as a middleware layer that allows applications to access data quickly, improving performance and scalability for complex systems within a business environment.

What does CVE-2026-35310 mean?

This vulnerability, classified as CWE-284 (Improper Access Control), signifies a flaw where the software fails to properly restrict access to its core functions. For CVE-2026-35310, it means an attacker can bypass security checks to interact with the system without needing a username or password, potentially leading to a complete compromise of the Oracle Coherence instance.

How is this vulnerability triggered?

The flaw is triggered when an attacker sends specific, unauthorized HTTP requests to the vulnerable Oracle Coherence core component over a network. It is important to note that this does not require any prior user authentication or special user privileges; however, the attacker must have network-level connectivity to the service to initiate the request.

Do I need to worry about this vulnerability?

According to Halo Surface Signal, Oracle Coherence is generally designed to operate as an internal cache or data grid, meaning it is not typically intended to be exposed directly to the public internet. While you should prioritize checking any instances that are internet-facing, you should also assess internal systems, as any device with network connectivity to your infrastructure could potentially be used to reach the vulnerable service.

What is the first step to address CVE-2026-35310?

Start by performing an inventory of your environment to locate all running instances of Oracle Coherence. Once identified, confirm which instances are reachable over your network and determine their business function. Assign a team to manage these assets so you can begin planning the necessary updates or security configurations to mitigate the risk of unauthorized access.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished