Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
HTTP-reachable EnterpriseOne web tier (AV:N/AC:L), any authenticated low-privilege user suffices (PR:L), no UI; full read/write to AP data gives C:H/I:H, no availability impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Accounts Payable product of Oracle JD Edwards (component: Accounts Payable). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Accounts Payable. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Accounts Payable accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Accounts Payable accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
AnalysisAI
High-impact data tampering and disclosure in Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 allows a low-privileged attacker with HTTP network access to read, create, modify, or delete all data accessible to the Accounts Payable component. Oracle rates the flaw as easily exploitable with CVSS 8.1, and no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network reachability to the JD Edwards EnterpriseOne HTML/web tier over HTTP, and (2) a valid low-privileged EnterpriseOne user account (PR:L) - any authenticated user, not necessarily an Accounts Payable role-holder, suffices per Oracle's description that a low-privileged attacker can compromise the AP component. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N corroborates Oracle's 'easily exploitable' wording: any low-privileged EnterpriseOne user with HTTP reach can drive the attack with no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privileged JD Edwards user - for example an internal employee with any non-AP role, or an attacker who has phished a basic EnterpriseOne credential - sends crafted HTTP requests to AP endpoints on the EnterpriseOne HTML Server and gains read/write access to supplier and voucher data the user was never granted. The attacker can exfiltrate vendor master and payment data or, more damagingly, create or modify vouchers to redirect payments, with no user interaction required and no public exploit identified at time of analysis. |
| Remediation | Apply Oracle's June 2026 Critical Patch Update fixes for JD Edwards EnterpriseOne 9.2 Accounts Payable as documented at https://www.oracle.com/security-alerts/cspujun2026.html - patch available per vendor advisory; the exact fix tools-release/bundle should be taken directly from that CPU rather than inferred. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all production systems running JD Edwards EnterpriseOne Accounts Payable 9.2; audit user access logs and AP transaction records for suspicious modifications; implement emergency network restrictions to limit AP system access to essential finance personnel only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37383