Skip to main content

Oracle Enterprise Manager CVE-2026-46865

| EUVDEUVD-2026-37358 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.2 HIGH
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.2 HIGH

Requires local logon to the EM host with high host privileges (AV:L, PR:H, AC:L, UI:N); full EM takeover plus scope change to managed Oracle targets justifies S:C and C:H/I:H/A:H.

3.1 AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:37 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Extensibility Framework). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Enterprise Manager Base Platform executes to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component) allows a high-privileged attacker with logon access to the host running EM to fully take over the platform, with scope change extending impact to additional managed Oracle products. CVSS 3.1 base score is 8.2 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. The scope-changing nature makes this a notable lateral-movement primitive in Oracle estates even though prerequisites are non-trivial.

Technical ContextAI

Oracle Enterprise Manager (EM) Base Platform is Oracle's centralized management console for databases, middleware, engineered systems, and cloud workloads; the Extensibility Framework is the subsystem that lets administrators load plug-ins and metadata extensions that drive EM target discovery, monitoring, and job execution. A defect in this framework lets a logged-on, high-privileged user pivot from the EM host into the platform itself and, because of the CVSS scope change (S:C), reach security authorities beyond the EM Base Platform - typically the managed targets EM administers. No CWE was supplied by Oracle, which is consistent with their disclosure practice of withholding root-cause detail; the affected CPE is cpe:2.3:a:oracle_corporation:oracle_enterprise_manager_base_platform covering versions 13.5 and 24.1.

RemediationAI

Apply the fixes shipped in Oracle's June 2026 Critical Patch Update (CPU Jun 2026) for Enterprise Manager Base Platform 13.5 and 24.1, following the patch matrix at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle does not publish a discrete fix-version string for EM in CPU advisories, so the patch is identified by the CPU release and component identifier rather than a semver. Until patches are staged, tightly restrict OS logon to the EM management host to a minimal set of EM administrators, audit and rotate sudoers and the oracle/emagent service accounts, and review host-level access logs for unexpected interactive sessions - these controls directly address the AV:L/PR:H precondition but do not stop a legitimately privileged operator from exploiting the issue. Given the scope change, also confirm that EM-stored named credentials for managed databases and middleware are rotatable and consider pre-staging credential rotation procedures in case post-patch forensics indicate prior misuse.

CVE-2026-46855 CRITICAL
9.9 Jun 16

Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker v

CVE-2026-46852 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata P

CVE-2026-46854 CRITICAL
9.9 Jun 16

Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management compo

CVE-2026-46832 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework

CVE-2026-46857 CRITICAL
9.8 Jun 16

Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network a

CVE-2026-46856 CRITICAL
9.6 Jun 16

Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker ov

CVE-2026-46853 CRITICAL
9.6 Jun 16

Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to

CVE-2026-46875 CRITICAL
9.1 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library comp

CVE-2026-46872 CRITICAL
9.0 Jun 16

Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authe

CVE-2026-46864 HIGH
8.8 Jun 16

Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen compo

CVE-2026-46866 HIGH
8.2 Jun 16

Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthentica

CVE-2026-46868 HIGH
7.2 Jun 16

Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-

Share

CVE-2026-46865 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy