Skip to main content

JD Edwards EnterpriseOne Tools CVE-2026-46903

| EUVDEUVD-2026-37222 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

HTTP-reachable Tools endpoint gives AV:N/AC:L, a valid low-privileged JDE account is required so PR:L/UI:N, and full takeover yields C:H/I:H/A:H with no scope change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:19 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Business Logic Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Authenticated takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible via the Business Logic Infrastructure Security component, where a low-privileged attacker with HTTP network access can fully compromise confidentiality, integrity, and availability of the application. Oracle rates the issue 8.8 with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged JDE user credentials
Delivery
Reach EnterpriseOne Tools HTTP endpoint
Exploit
Send crafted request to Business Logic Infrastructure Security
Execution
Bypass authorization checks
Persist
Execute privileged business logic
Impact
Take over JD Edwards EnterpriseOne Tools

Vulnerability AssessmentAI

Exploitation Exploitation requires network HTTP reachability to the JD Edwards EnterpriseOne Tools web tier and a valid low-privileged EnterpriseOne account (PR:L), targeting the Business Logic Infrastructure Security component on Tools versions 9.2.0.0 through 9.2.26.2; no user interaction, no admin role, and no non-default configuration are called out. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely aligned toward real priority: CVSS 8.8 with AV:N/AC:L/PR:L/UI:N and full High CIA, Oracle's own characterization as 'easily exploitable', and 'takeover' outcome all point to a serious, low-effort post-auth flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been issued a low-privileged JD Edwards EnterpriseOne user account - for example a basic business user, a phished employee, or a contractor - sends crafted HTTP requests to the EnterpriseOne Tools web tier that abuse the Business Logic Infrastructure Security component to invoke or alter business logic outside their authorized scope. Because AC:L and UI:N apply, no special timing or user interaction is needed, and the result is full takeover of the Tools instance with read, modify, and disrupt capability over ERP data and processes. …
Remediation Apply the fix delivered in Oracle's June 2026 Critical Patch Update for JD Edwards as documented at https://www.oracle.com/security-alerts/cspujun2026.html, upgrading EnterpriseOne Tools beyond the affected 9.2.0.0-9.2.26.2 range to the patched Tools release Oracle ships in that CPU (exact post-9.2.26.2 fix level should be taken from the Oracle advisory rather than assumed). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all JD Edwards EnterpriseOne Tools instances running versions 9.2.0.0-9.2.26.2; restrict network access to corporate VPN/trusted networks only; enable comprehensive audit logging for all administrative and authentication events. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-5645 CRITICAL POC
9.8 Apr 17

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-42013 CRITICAL POC
9.8 Oct 07

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-2733 CRITICAL POC
9.8 Apr 15

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-2351 HIGH POC
8.3 Jul 21

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi

Share

CVE-2026-46903 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy