Skip to main content

JD Edwards EnterpriseOne CVE-2026-46891

| EUVDEUVD-2026-37383 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

HTTP-reachable EnterpriseOne web tier (AV:N/AC:L), any authenticated low-privilege user suffices (PR:L), no UI; full read/write to AP data gives C:H/I:H, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:26 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne Accounts Payable product of Oracle JD Edwards (component: Accounts Payable). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Accounts Payable. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Accounts Payable accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Accounts Payable accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

High-impact data tampering and disclosure in Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 allows a low-privileged attacker with HTTP network access to read, create, modify, or delete all data accessible to the Accounts Payable component. Oracle rates the flaw as easily exploitable with CVSS 8.1, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EnterpriseOne credential
Delivery
Reach HTML Server over HTTP
Exploit
Invoke Accounts Payable endpoint outside role
Execution
Bypass authorization check
Persist
Read or modify AP/voucher data
Impact
Exfiltrate or redirect payments

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the JD Edwards EnterpriseOne HTML/web tier over HTTP, and (2) a valid low-privileged EnterpriseOne user account (PR:L) - any authenticated user, not necessarily an Accounts Payable role-holder, suffices per Oracle's description that a low-privileged attacker can compromise the AP component. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N corroborates Oracle's 'easily exploitable' wording: any low-privileged EnterpriseOne user with HTTP reach can drive the attack with no user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged JD Edwards user - for example an internal employee with any non-AP role, or an attacker who has phished a basic EnterpriseOne credential - sends crafted HTTP requests to AP endpoints on the EnterpriseOne HTML Server and gains read/write access to supplier and voucher data the user was never granted. The attacker can exfiltrate vendor master and payment data or, more damagingly, create or modify vouchers to redirect payments, with no user interaction required and no public exploit identified at time of analysis.
Remediation Apply Oracle's June 2026 Critical Patch Update fixes for JD Edwards EnterpriseOne 9.2 Accounts Payable as documented at https://www.oracle.com/security-alerts/cspujun2026.html - patch available per vendor advisory; the exact fix tools-release/bundle should be taken directly from that CPU rather than inferred. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all production systems running JD Edwards EnterpriseOne Accounts Payable 9.2; audit user access logs and AP transaction records for suspicious modifications; implement emergency network restrictions to limit AP system access to essential finance personnel only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46891 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy