Skip to main content

JD Edwards EnterpriseOne CVE-2026-46908

| EUVDEUVD-2026-37227 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Oracle's description supports network HTTP exploitation (AV:N/AC:L), a low-privileged account (PR:L), no user interaction, scope change into adjacent products, and full takeover of the AP module (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:16 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne Accounts Payable product of Oracle JD Edwards (component: Accounts Payable). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Accounts Payable. While the vulnerability is in JD Edwards EnterpriseOne Accounts Payable, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Accounts Payable. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 is possible by a low-privileged remote attacker over HTTP, with scope-changing impact on adjacent products. The CVSS 3.1 base score of 9.9 reflects full confidentiality, integrity, and availability compromise plus a scope change (S:C), and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EnterpriseOne credential
Delivery
Reach Accounts Payable HTTP endpoint
Exploit
Send crafted exploit request
Execution
Trigger scope-changing flaw
Persist
Pivot into adjacent EnterpriseOne components
Impact
Take over Accounts Payable module

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network HTTP reachability to the Accounts Payable component of an Oracle JD Edwards EnterpriseOne 9.2 deployment and (2) any valid low-privileged EnterpriseOne credential (PR:L) - no admin role and no user interaction are needed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is high but not yet evidence-backed by exploitation telemetry. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been issued any low-privileged EnterpriseOne account - for example a compromised AP clerk, an over-provisioned vendor portal user, or a phished consultant - sends a crafted HTTP request to the Accounts Payable component. The scope change allows the attack to reach beyond Accounts Payable into adjacent EnterpriseOne services, ending in full takeover of the AP module and likely a foothold into broader financial data and processes. …
Remediation Patch available per vendor advisory: apply the fixes bundled in the Oracle June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) to JD Edwards EnterpriseOne 9.2 environments at the earliest scheduled maintenance window. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Oracle JD Edwards 9.2 AP systems in your environment and restrict network access to administrative personnel only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46908 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy