Skip to main content

Oracle Enterprise Command Center CVE-2026-46902

| EUVDEUVD-2026-37221 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Vendor describes easy unauthenticated HTTPS exploitation yielding full takeover, so AV:N/AC:L/PR:N/UI:N with C:H/I:H/A:H on an unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:19 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Oracle E-Business Suite, is possible over HTTPS with low attack complexity. The flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8) on the Core component and is addressed in Oracle's June 2026 Critical Patch Update. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed ECC HTTPS endpoint
Delivery
Send crafted unauthenticated request to Core
Exploit
Bypass authentication / trigger flaw
Execution
Gain control of ECC framework
Persist
Read or modify EBS-linked data
Impact
Pivot deeper into E-Business Suite

Vulnerability AssessmentAI

Exploitation No special conditions - remote unauthenticated exploitation against default configurations of Oracle Enterprise Command Center Framework reachable over HTTPS, per AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals strongly align around high real-world risk: CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N marks it as remote, low-complexity, and unauthenticated with HIGH impact on all three CIA pillars, and the description explicitly calls it 'easily exploitable' with 'takeover' as the outcome. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the ECC HTTPS interface - directly on the internet or pivoting from a compromised internal host - sends a crafted request to the Core component and, without supplying credentials, takes over the ECC instance, gaining the ability to read, alter, or destroy any data ECC can access within the EBS environment. Because attack complexity is low and no user interaction is needed, mass-scanning campaigns against Oracle EBS deployments are a realistic delivery method even though no public exploit identified at time of analysis.
Remediation Apply the patch shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html), which is the vendor-released fix referenced for V15 and V16 - exact post-patch build numbers are enumerated in the CPU matrix rather than this CVE record. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify and inventory all Oracle EBS systems running Enterprise Command Center Framework v15 or v16; restrict network access to these components via firewall rules or network segmentation; review access logs for compromise indicators. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46902 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy