Skip to main content

Oracle Enterprise Manager CVE-2026-46866

| EUVDEUVD-2026-37359 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-06-16 oracle
8.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
8.2 HIGH

Unauthenticated HTTPS reachability with no UI matches AV:N/AC:L/PR:N/UI:N; complete DoS gives A:H, partial data modification gives I:L, no confidentiality impact gives C:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:37 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Agent Next Gen). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 8.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

AnalysisAI

Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated network attackers to crash or hang the management console and to perform unauthorized modifications to a subset of accessible data via the Agent Next Gen component over HTTPS. Oracle rates the issue CVSS 8.2 and notes the flaw is easily exploitable; no public exploit identified at time of analysis, and it is not listed on the CISA KEV catalog.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach OMS management network
Delivery
Probe HTTPS Agent Next Gen port
Exploit
Send crafted HTTPS request
Execution
Crash or hang OMS process
Persist
Tamper with subset of OEM data
Impact
Suppress monitoring of managed targets

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the OEM Management Service HTTPS listener used by the Agent Next Gen component on a host running Oracle Enterprise Manager Base Platform 13.5 or 24.1; no credentials, user interaction, or non-default configuration are required per the CVSS vector (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H) is severe on paper: network-reachable, low complexity, no authentication, no user interaction, with complete availability loss and partial integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the OEM Management Service HTTPS upload port (typically because the management network is reachable from a compromised workstation, jump host, or misrouted VLAN) sends a crafted HTTPS request to the Agent Next Gen endpoint, repeatedly crashing the OMS process and producing a complete denial of service for the monitoring console. In the same campaign the attacker uses the integrity-tampering primitive to alter a subset of OEM-accessible data - for example silencing alerts, modifying monitoring thresholds, or planting misleading records - to mask follow-on activity against managed databases. …
Remediation Apply the patches delivered in Oracle's June 2026 Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html, which is the vendor-released fix track for OEM 13.5 and 24.1 - note exact patched build numbers must be taken from the CPU document itself rather than inferred. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all deployments of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1, and restrict HTTPS network access to the Agent Next Gen component to known administrator IP addresses only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-46855 CRITICAL
9.9 Jun 16

Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker v

CVE-2026-46852 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata P

CVE-2026-46854 CRITICAL
9.9 Jun 16

Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management compo

CVE-2026-46832 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework

CVE-2026-46857 CRITICAL
9.8 Jun 16

Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network a

CVE-2026-46856 CRITICAL
9.6 Jun 16

Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker ov

CVE-2026-46853 CRITICAL
9.6 Jun 16

Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to

CVE-2026-46875 CRITICAL
9.1 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library comp

CVE-2026-46872 CRITICAL
9.0 Jun 16

Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authe

CVE-2026-46864 HIGH
8.8 Jun 16

Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen compo

CVE-2026-46865 HIGH
8.2 Jun 16

Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component)

CVE-2026-46868 HIGH
7.2 Jun 16

Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-

Share

CVE-2026-46866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy