Skip to main content

Oracle Siebel CRM CVE-2026-46885

| EUVDEUVD-2026-37377 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable HTTP EAI endpoint (AV:N), no special timing or configuration (AC:L), any authenticated Siebel user suffices (PR:L), no user interaction, full component takeover yields C:H/I:H/A:H within the same authorization scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:29 vuln.today

DescriptionCVE.org

Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM (component: EAI). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel CRM Integration. Successful attacks of this vulnerability can result in takeover of Siebel CRM Integration. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover of the Siebel CRM Integration component (EAI) in Oracle Siebel CRM versions 17.0 through 26.5 allows a low-privileged remote attacker with HTTP network access to fully compromise the integration component, impacting confidentiality, integrity, and availability. Oracle rates this 'easily exploitable' with CVSS 3.1 score 8.8, but no public exploit identified at time of analysis and the vulnerability is not listed in CISA KEV.

Technical ContextAI

The flaw resides in the Enterprise Application Integration (EAI) component of Siebel CRM Integration, the middleware layer Oracle Siebel uses to exchange data with external systems via HTTP-based services (typically SOAP/XML or REST over the Siebel Web Engine). The CPE 'cpe:2.3:a:oracle_corporation:siebel_crm_integration' confirms the Oracle commercial CRM stack, not third-party connectors. No CWE is assigned in NVD, but Oracle's 'takeover' language combined with PR:L (any authenticated Siebel user) and full CIA impact is consistent with an authorization or input-handling flaw in an EAI service endpoint that allows privilege escalation or unrestricted action invocation within the integration subsystem.

RemediationAI

Apply the Oracle June 2026 Critical Patch Update (CPUJun2026) per https://www.oracle.com/security-alerts/cspujun2026.html, which contains the Siebel CRM fix; exact post-patch build numbers are published inside the CPU advisory matrix and should be matched to your installed version (17.0-26.5). Until the CPU can be applied, restrict network reachability to the Siebel EAI HTTP endpoints to known integration partners only via firewall or reverse-proxy ACLs, tighten Siebel responsibility/position assignments so that only the minimum set of accounts can authenticate to EAI services (eliminating the PR:L precondition for most users), and increase audit logging on EAI inbound requests to detect anomalous SOAP/REST calls - note that ACL restriction may break legitimate B2B integrations and should be coordinated with integration owners.

Share

CVE-2026-46885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy