Skip to main content

Oracle Agile PLM CVE-2026-46859

| EUVDEUVD-2026-37352 CRITICAL
Improper Authentication (CWE-287)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle describes easily exploitable unauthenticated network HTTP attack yielding full product takeover, matching AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H with no scope change indicated.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:41 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Security). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle Agile PLM 9.3.6 is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. The Security component flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Agile PLM 9.3.6 HTTP endpoint
Delivery
Send crafted unauthenticated request to Security component
Exploit
Bypass authentication / trigger flaw
Execution
Gain administrative control of PLM
Impact
Exfiltrate product/BOM data and tamper with change orders

Vulnerability AssessmentAI

Exploitation The target must be Oracle Agile PLM version 9.3.6 with its HTTP(S) web tier reachable from the attacker's network position; no authentication, no user interaction, and no special non-default configuration are required per the CVSS vector AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) is maximal for a non-scope-changing flaw, indicating low-complexity, unauthenticated network exploitation leading to full product takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the Agile PLM web interface - for example via an internet-exposed supplier portal or from a foothold on the corporate network - sends a single crafted HTTP request to the vulnerable Security component and obtains administrative control of the PLM instance without credentials. From there they exfiltrate confidential product designs, BOMs, and supplier data, tamper with engineering change orders, or pivot to the underlying application server. …
Remediation Apply the patch shipped in the Oracle Critical Patch Update of June 2026 for Oracle Agile PLM 9.3.6 as described at https://www.oracle.com/security-alerts/cspujun2026.html (Patch available per vendor advisory; no granular fix build number is published outside My Oracle Support). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Oracle Agile PLM 9.3.6, restrict HTTP/HTTPS access to internal networks only, enable detailed access logging, and activate incident response protocols. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46859 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy