Skip to main content

Siebel Apps - Marketing CVE-2026-46890

| EUVDEUVD-2026-37382 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle states unauthenticated HTTP attacker achieves component takeover with full CIA impact, matching AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:26 vuln.today

DescriptionCVE.org

Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle Siebel CRM's Siebel Apps - Marketing component (versions 17.0 through 26.5) is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. With a 9.8 CVSS base score and full confidentiality/integrity/availability impact, this represents a top-priority Oracle CPU finding, though no public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Technical ContextAI

The flaw resides in the Marketing component of Oracle's Siebel CRM suite - a long-standing enterprise customer relationship management platform commonly fronted by HTTP-based application servers and web tier components. The CPE 'cpe:2.3:a:oracle_corporation:siebel_apps_-_marketing' confirms the affected module is the Marketing application within Siebel CRM rather than the broader Siebel core. No CWE was assigned by Oracle (typical for Oracle CPU disclosures, which omit root-cause classification), so the underlying weakness class - whether deserialization, injection, authentication bypass, or an unsafe servlet endpoint - is not disclosed; the 'complete takeover' language combined with AV:N/PR:N strongly implies an unauthenticated remote code execution or full administrative bypass primitive reachable on the HTTP interface.

RemediationAI

Apply the patches from Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) to every Siebel CRM deployment running the Marketing component on versions 17.0 through 26.5 - Oracle CPU patches are cumulative within a release line, so install the latest available bundle for your Siebel version rather than only the named fix. Until patching is complete, restrict network reachability of the Siebel Marketing HTTP endpoints to trusted internal networks via firewall or reverse-proxy ACLs, disable internet exposure of the Marketing application URLs at the web tier, and place a WAF in front of the Siebel web servers with rules blocking anomalous requests to Marketing servlets - these controls reduce attack surface but do not eliminate insider or lateral-movement exploitation paths, and may break legitimate external marketing campaign callbacks. Monitor Siebel application and web-server logs for unexpected POST traffic and new administrative actions on the Marketing component.

Share

CVE-2026-46890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy