Skip to main content

Oracle Siebel CRM CVE-2026-46887

| EUVDEUVD-2026-37379 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle's description states unauthenticated network HTTP exploitation enabling full takeover, justifying AV:N/AC:L/PR:N/UI:N with C:H/I:H/A:H and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:28 vuln.today

DescriptionCVE.org

Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote unauthenticated takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is achievable over HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the Marketing component. Oracle's CVSS 9.8 rating reflects easy exploitation with no authentication or user interaction required, though no public exploit is identified at time of analysis and the CVE is not currently listed in CISA KEV.

Technical ContextAI

The vulnerability resides in the Marketing component of Oracle Siebel CRM's Siebel Apps - Marketing product, an enterprise customer relationship management suite widely deployed in financial services, telecommunications, and public sector environments. The affected CPE is cpe:2.3:a:oracle_corporation:siebel_apps_-_marketing covering all releases from 17.0 up to and including 26.5. Although the CWE is not specified, the combination of network-based HTTP attack vector, no privileges required, and full CIA impact is characteristic of authentication bypass, deserialization, or injection flaws commonly seen in Java-based Oracle web applications. Oracle has not publicly disclosed the root cause class, which is consistent with their standard Critical Patch Update disclosure practice.

RemediationAI

Apply the Oracle Critical Patch Update from June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - Patch available per vendor advisory, though Oracle does not publish a single resolved version since CPU patches apply across the supported 17.0-26.5 range. Until patching is complete, restrict network access to the Siebel Marketing web tier by placing it behind a VPN or zero-trust proxy that enforces authentication before HTTP requests reach the application, accepting the trade-off that external marketing campaign management workflows may break. Web application firewall rules blocking anomalous Marketing component endpoints can serve as a secondary control, though without root-cause disclosure these rules will be best-effort pattern matching rather than precise mitigations. Inventory all Siebel Marketing instances including non-production environments, as Oracle CPU vulnerabilities are frequently reverse-engineered from the patch diff within weeks of release.

Share

CVE-2026-46887 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy