Skip to main content

Oracle Enterprise Manager CVE-2026-46867

| EUVDEUVD-2026-37360 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
7.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

OMS is reachable over HTTPS (AV:N/AC:L) but requires a high-privilege OEM admin account (PR:H); full product takeover yields C:H/I:H/A:H with no scope change.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:36 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Extensibility Framework). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Extensibility Framework component, enabling an authenticated high-privilege attacker with HTTPS network access to fully compromise confidentiality, integrity, and availability of the management platform. The vendor (Oracle) advisory rates the issue at CVSS 3.1 7.2, and no public exploit identified at time of analysis, but successful exploitation yields complete product takeover. EPSS and CISA KEV signals are not provided in the input data.

Technical ContextAI

Oracle Enterprise Manager Base Platform is the central management and monitoring product for Oracle databases, middleware, applications, and infrastructure, and its Extensibility Framework is the subsystem that allows custom plug-ins, metrics, and management packs to be deployed against managed targets. The affected CPE (cpe:2.3:a:oracle_corporation:oracle_enterprise_manager_base_platform) covers releases 13.5 and 24.1 of the platform. No CWE is assigned in the input, so the precise weakness class (e.g., deserialization, authorization bypass, or injection within plug-in handling) cannot be determined from available data; Oracle's Critical Patch Update advisory CPUJUN2026 is the authoritative reference.

RemediationAI

Apply the patch available per vendor advisory in the Oracle Critical Patch Update of June 2026 (CPUJUN2026) to both Oracle Enterprise Manager Base Platform 13.5 and 24.1, following the version-specific bundle patch instructions at https://www.oracle.com/security-alerts/cspujun2026.html; an exact fixed build number is not enumerated in the input data, so consult the CPU matrix for the bundle patch identifier corresponding to your release. Until the bundle patch is deployed, restrict access to the OEM Console and management ports to a dedicated administrative network or jump host so that only trusted operators can reach the HTTPS interface, enforce strong authentication and rotate high-privilege OEM accounts (SYSMAN, super-administrator roles), and audit Extensibility Framework plug-in deployment activity for unexpected uploads or configuration changes (trade-off: network restrictions may disrupt remote administrator workflows and integrations such as plug-in development pipelines or federated OMS access). Avoid using shared high-privilege accounts so that compromise of one operator does not immediately satisfy the PR:H precondition.

CVE-2026-46855 CRITICAL
9.9 Jun 16

Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker v

CVE-2026-46852 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata P

CVE-2026-46854 CRITICAL
9.9 Jun 16

Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management compo

CVE-2026-46832 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework

CVE-2026-46857 CRITICAL
9.8 Jun 16

Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network a

CVE-2026-46856 CRITICAL
9.6 Jun 16

Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker ov

CVE-2026-46853 CRITICAL
9.6 Jun 16

Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to

CVE-2026-46875 CRITICAL
9.1 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library comp

CVE-2026-46872 CRITICAL
9.0 Jun 16

Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authe

CVE-2026-46864 HIGH
8.8 Jun 16

Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen compo

CVE-2026-46866 HIGH
8.2 Jun 16

Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthentica

CVE-2026-46865 HIGH
8.2 Jun 16

Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component)

Share

CVE-2026-46867 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy