Skip to main content

Oracle Siebel CRM CVE-2026-46886

| EUVDEUVD-2026-37378 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network HTTP vector, low complexity, requires a low-privileged Siebel account (PR:L), no user interaction, and vendor describes full component takeover so C/I/A all High.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:28 vuln.today

DescriptionCVE.org

Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Authenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) allows a low-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle rates this 8.8 CVSS 3.1 with low attack complexity and no user interaction, making it an easy-win post-authentication vulnerability against any reachable Siebel Marketing instance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Siebel credentials
Delivery
Reach Marketing web tier over HTTP
Exploit
Send crafted authenticated request
Execution
Trigger Marketing component flaw
Persist
Take over Marketing module
Impact
Exfiltrate customer data and tamper with campaigns

Vulnerability AssessmentAI

Exploitation Attacker must have network HTTP/HTTPS reach to a running Siebel Apps - Marketing instance on a supported version between 17.0 and 26.5, and must hold valid low-privileged Siebel credentials (PR:L in the CVSS vector) - fully unauthenticated exploitation is not indicated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H produces a high 8.8 score and credibly reflects real risk: any user holding even minimal Siebel credentials on a network-reachable Marketing instance can fully take over the component without user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any low-privileged Siebel account - through phishing, credential reuse, or an insider - sends crafted HTTP requests to the Siebel Marketing web interface and abuses the flaw to escalate to full control of the Marketing component, exfiltrating customer marketing data and tampering with campaigns. No public exploit is identified at time of analysis, but Oracle CPU vulnerabilities are commonly analyzed and weaponized once the patches are diffed.
Remediation Patch available per vendor advisory: apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for every Siebel Apps - Marketing instance in the 17.0-26.5 range - the input does not contain an exact fixed version string, so consult the CPU patch matrix for the precise patchset for each running release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: audit all Siebel Marketing instances running versions 17.0-26.5 and inventory active user accounts with administrative or elevated privileges. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46886 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy