Skip to main content

Oracle ECC Framework CVE-2026-46898

| EUVDEUVD-2026-37390 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable over HTTPS with no attacker credentials (AV:N/AC:L/PR:N), but requires victim interaction (UI:R); yields full read/write on ECC data (C:H/I:H) with no availability impact and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:22 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

AnalysisAI

High-impact confidentiality and integrity compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows unauthenticated remote attackers to gain full read/write access to all framework-accessible data after tricking a user into interacting with a malicious request. The flaw is reachable over HTTPS with low attack complexity but requires user interaction, and no public exploit identified at time of analysis. Oracle published a vendor advisory in the June 2026 Critical Patch Update.

Technical ContextAI

Oracle Enterprise Command Center Framework (ECC) is an analytics and visualization layer bundled with Oracle E-Business Suite (EBS) that provides discovery-style dashboards over EBS application data. It runs as a Java/Weblogic-based web component exposed via HTTPS to EBS users. CWE was not assigned by Oracle, but the combination of network attack vector, no privileges required, mandatory user interaction, and high confidentiality plus integrity impact (with no availability impact and unchanged scope) is consistent with a client-side web vulnerability class such as cross-site scripting, cross-site request forgery, or open redirect/HTML injection - vulnerabilities that abuse an authenticated victim's session against the ECC Core component to read and modify all data the victim can reach.

RemediationAI

Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 for Oracle Enterprise Command Center Framework V15 and V16 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle does not publish a discrete fix version string in the advisory beyond the CPU identifier, so treat 'Patch available per vendor advisory' as the patch status and install the CPU bundle for your EBS release train. As compensating controls until the CPU is deployed, restrict network exposure of the ECC endpoints to trusted internal users via reverse-proxy ACLs or VPN-only access (trade-off: blocks legitimate remote/business-partner access), and instruct ECC users to avoid clicking unsolicited links pointing at the ECC host since exploitation requires user interaction. Standard EBS browser hygiene - separate browser profile for ECC, session timeouts, and strict Referer/SameSite cookie enforcement on the Weblogic frontend - reduces the window in which a phishing lure can ride an authenticated session.

Share

CVE-2026-46898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy