Skip to main content

Oracle Enterprise Command Center Framework CVE-2026-46895

| EUVDEUVD-2026-37387 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable HTTP endpoint (AV:N), low complexity (AC:L), requires a low-privileged EBS account per description (PR:L), no user interaction (UI:N), scope change into other EBS modules (S:C), full takeover (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:23 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievable by a low-privileged remote attacker over HTTP, with a scope change that lets the compromise impact other Oracle E-Business Suite components. The flaw carries a CVSS 3.1 base score of 9.9 (C:H/I:H/A:H, S:C). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify internet-reachable Oracle EBS tier
Delivery
Obtain low-privileged EBS account
Exploit
Send crafted HTTP request to ECC Core
Install
Exploit authorization flaw with scope change
C2
Take over ECC framework
Execute
Pivot into adjacent EBS modules
Impact
Exfiltrate or alter business data

Vulnerability AssessmentAI

Exploitation Attacker must (a) reach the Oracle E-Business Suite application tier over HTTP, and (b) hold a valid low-privileged EBS account that grants any access to the Enterprise Command Center Framework (PR:L in the CVSS vector and the description's 'low privileged attacker' wording). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a genuine high-priority issue rather than an inflated CVSS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or self-registered a low-privileged Oracle E-Business Suite account (for example, a vendor- or partner-portal user) sends crafted HTTP requests to the ECC framework endpoints on the EBS application tier. Because the vulnerability allows a scope change with high impact on confidentiality, integrity, and availability, the attacker leverages it to take over the ECC service and pivot into adjacent EBS modules sharing the same tier, accessing financial or HR data and altering records. …
Remediation Patch available per vendor advisory: apply the Oracle Critical Patch Update of June 2026 for Oracle E-Business Suite as documented at https://www.oracle.com/security-alerts/cspujun2026.html, which delivers the fix for both ECC V15 and V16 - Oracle does not publish discrete patched ECC build numbers in the input data, so administrators should follow the CPU's per-product patch matrix to identify the exact bundle for their EBS release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and document all Oracle Command Center Framework V15/V16 deployments, current user access levels, and network exposure paths. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy