Skip to main content

JD Edwards EnterpriseOne Tools CVE-2026-46906

| EUVDEUVD-2026-37225 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.6
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
vuln.today AI
9.6 CRITICAL

HTTP-reachable service (AV:N), low complexity per Oracle (AC:L), requires a low-privileged Tools account (PR:L), no UI, and authorization break across components causes scope change with high C/I but no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:17 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Tools accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

AnalysisAI

Privilege escalation and scope-change attack in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows a low-privileged attacker with HTTP network access to compromise the Enterprise Infrastructure Security component and impact additional connected products. Successful exploitation yields full read access and the ability to create, modify, or delete all data accessible to JD Edwards EnterpriseOne Tools. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Tools account
Delivery
Reach EnterpriseOne Tools HTTP endpoint
Exploit
Send crafted request to Infrastructure Security component
Execution
Bypass authorization across scope boundary
Impact
Read or modify critical JD Edwards data

Vulnerability AssessmentAI

Exploitation Attacker must hold a valid low-privileged account on JD Edwards EnterpriseOne Tools 9.2.0.0-9.2.26.2 (PR:L) and have HTTP network reachability to the Tools service; no user interaction is required (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is high: the CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) gives a 9.6 base score driven by network reachability, low complexity, only low privileges required, no user interaction, and a scope change that lets the attack reach beyond Tools into other JD Edwards products. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains or compromises a low-privileged JD Edwards EnterpriseOne Tools account - for example, a routine business user with HTTP login rights - and sends crafted HTTP requests to the Enterprise Infrastructure Security component to escape their authorization scope. Leveraging the scope change, they read or modify financial, HR, or master data across JD Edwards modules that their account would not normally be permitted to touch. …
Remediation Patch available per Oracle's June 2026 Critical Patch Update advisory at https://www.oracle.com/security-alerts/cspujun2026.html; apply the EnterpriseOne Tools release issued in that CPU (a version above 9.2.26.2) as the primary fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Oracle JD Edwards EnterpriseOne Tools versions 9.2.0.0-9.2.26.2; inventory accounts with low-privilege access; confirm backup integrity and offsite copies. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-5645 CRITICAL POC
9.8 Apr 17

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-42013 CRITICAL POC
9.8 Oct 07

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-2733 CRITICAL POC
9.8 Apr 15

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-2351 HIGH POC
8.3 Jul 21

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi

Share

CVE-2026-46906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy