Skip to main content

Oracle Enterprise Command Center Framework CVE-2026-46901

| EUVDEUVD-2026-37220 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
vuln.today AI
9.9 CRITICAL

HTTP-reachable Core component exploitable by any low-privileged EBS user (AV:N/AC:L/PR:L/UI:N); scope change into other EBS modules yields C:H/I:H with only partial DoS (A:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:20 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).

AnalysisAI

Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker to read, modify, or delete all framework-accessible data and partially disrupt service via HTTP. Because CVSS scope is Changed, exploitation impacts additional Oracle E-Business Suite products beyond the Framework itself, driving the 9.9 base score. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege EBS credentials
Delivery
Reach ECC Core HTTP endpoint
Exploit
Send crafted authorization-bypassing request
Execution
Cross ECC trust boundary (scope change)
Persist
Read/modify/delete EBS data in other modules
Impact
Trigger partial denial of service on ECC

Vulnerability AssessmentAI

Exploitation Requires network reachability to the Oracle E-Business Suite application tier over HTTP/HTTPS and a valid low-privileged EBS account that can invoke the Enterprise Command Center Framework Core component (CVSS PR:L, UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is high for any internet-exposed or broadly-accessible Oracle EBS deployment running ECC V15/V16. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any low-privilege Oracle E-Business Suite account - for example a self-registered iStore/iRecruitment user or a compromised employee SSO session - sends crafted HTTP requests to the ECC Core endpoints and abuses the flaw to read, alter, or delete data belonging to other EBS modules outside the user's normal authorization. Because Scope is Changed, the attacker can pivot from the ECC component into other EBS subsystems (financials, HR, procurement), enabling fraud, data theft, or sabotage. …
Remediation Apply the patches delivered in Oracle's June 2026 Critical Patch Update for Oracle Enterprise Command Center Framework V15 and V16 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; an exact post-patch build number is not enumerated in the available data, so consult the CPU advisory matrix to map your ECC release to the correct one-off patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Disable or strictly limit HTTP access to Framework V15 and V16; implement enhanced monitoring for abnormal data access patterns and modifications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46901 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy