Skip to main content

Oracle Siebel CRM CVE-2026-46884

| EUVDEUVD-2026-37376 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Description states easily exploitable, unauthenticated, HTTP-reachable, resulting in full component takeover - supports AV:N/AC:L/PR:N/UI:N with C:H/I:H/A:H and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:29 vuln.today

DescriptionCVE.org

Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible over HTTP, requiring no privileges or user interaction. Successful exploitation yields full compromise of the Marketing component with high confidentiality, integrity, and availability impact (CVSS 9.8). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

Siebel Apps - Marketing is the campaign management module of Oracle's Siebel CRM suite, used by enterprises to design, execute, and track multi-channel marketing campaigns. The CPE 'cpe:2.3:a:oracle_corporation:siebel_apps_-_marketing' confirms the affected component is the Marketing application itself rather than a shared infrastructure layer. Oracle has not published a CWE classification, but the CVSS vector (AV:N/AC:L/PR:N/UI:N) combined with 'takeover' language is consistent with a pre-authentication flaw in an internet-reachable HTTP endpoint - typically arising from authentication bypass, deserialization, injection, or broken access control in the web tier.

RemediationAI

Patch available per vendor advisory: apply the fixes shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) - Oracle does not publish discrete fix version strings in CPU listings, so consult the advisory matrix for the exact post-CPU patch level matching your Siebel release. Until the CPU can be applied, restrict network reachability of the Siebel Apps - Marketing HTTP endpoints to trusted internal management networks via firewall or reverse-proxy ACLs (side effect: legitimate remote marketing users will lose access), and place a WAF in front of the Marketing servlet paths to block anomalous unauthenticated POST/GET traffic (side effect: potential false positives on campaign-import workflows). Increase logging on the Marketing web tier and monitor for unauthenticated requests reaching administrative or campaign-execution URLs.

Share

CVE-2026-46884 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy