Skip to main content

JD Edwards EnterpriseOne CVE-2026-46893

| EUVDEUVD-2026-37385 CRITICAL
Improper Privilege Management (CWE-269)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable via SMB (AV:N), Oracle states easily exploitable (AC:L), requires a low-privileged account (PR:L), no user interaction, and full takeover with scope change to adjacent products.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:25 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne General Ledger product of Oracle JD Edwards (component: E1 Foundation). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via SMB to compromise JD Edwards EnterpriseOne General Ledger. While the vulnerability is in JD Edwards EnterpriseOne General Ledger, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne General Ledger. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privilege escalation and full takeover of Oracle JD Edwards EnterpriseOne General Ledger 9.2 (E1 Foundation component) is possible by a low-privileged network attacker via SMB, with scope change to other products. No public exploit identified at time of analysis, but the CVSS 9.9 score and 'easily exploitable' vendor characterization make this a high-priority patching target for ERP operators.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged JDE credentials
Delivery
Reach SMB service on EnterpriseOne host
Exploit
Send crafted SMB request to E1 Foundation
Execution
Trigger vulnerability with scope change
Persist
Take over General Ledger and adjacent modules
Impact
Manipulate financial data or exfiltrate ERP records

Vulnerability AssessmentAI

Exploitation Attacker must have network reachability to the SMB service (TCP/445) of a JD Edwards EnterpriseOne General Ledger 9.2 server running the E1 Foundation component, and must hold a low-privileged authenticated account (PR:L per the CVSS vector - not unauthenticated). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All signals point to a high-priority issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a low-privileged account on the corporate network - for example through phishing a finance clerk or compromising a service account - connects to the JD Edwards EnterpriseOne server over SMB and sends a crafted request to the E1 Foundation that triggers the vulnerability. Because the scope changes, the attacker not only takes over the General Ledger module but also impacts adjacent JD Edwards components, potentially manipulating financial postings, exfiltrating sensitive accounting data, or staging further ERP-wide compromise. …
Remediation Apply the patches from Oracle's June 2026 Critical Patch Update for JD Edwards (Patch available per vendor advisory: https://www.oracle.com/security-alerts/cspujun2026.html) - an exact fix tools-release version is not enumerated in the supplied data, so confirm the specific Tools Release or ESU level in the CPU matrix before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Enumerate all JDE 9.2 General Ledger deployments; restrict SMB access (ports 139, 445) at network perimeter; enable detailed logging on SMB authentication. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy