Skip to main content

JD Edwards EnterpriseOne Tools CVE-2026-46909

| EUVDEUVD-2026-37228 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle describes easily exploitable unauthenticated HTTP takeover with full CIA impact, supporting AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H; no scope change indicated.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
CVE Published
Jun 22, 2026 - 06:03 cve.org
CRITICAL 9.8
Analysis Generated
Jun 16, 2026 - 22:15 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is possible by unauthenticated network attackers via HTTP, per Oracle's June 2026 Critical Patch Update. The flaw resides in the Enterprise Infrastructure Security component and carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed JDE Tools HTTP endpoint
Delivery
Send crafted unauthenticated HTTP request
Exploit
Bypass Enterprise Infrastructure Security checks
Execution
Obtain privileged Tools session
Persist
Read/modify ERP and security data
Impact
Pivot to backend database and integrations

Vulnerability AssessmentAI

Exploitation Exploitation requires only network HTTP reachability to a JD Edwards EnterpriseOne Tools 9.2.0.0-9.2.26.2 deployment with the Enterprise Infrastructure Security component in its default supported configuration; no authentication, no user interaction, and no special non-default feature toggle are called out by Oracle. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to high real-world risk: the CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H describes a network-reachable, low-complexity, no-auth, no-interaction attack yielding full takeover, and Oracle's own description characterizes it as 'easily exploitable.' EPSS, KEV, and SSVC data are not provided in the input, so probability-of-exploitation and active-exploitation status cannot be quantified - this is a data gap rather than evidence of low risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a JD Edwards EnterpriseOne Tools HTTP endpoint - for example an exposed HTML Server or AIS Server - sends a crafted HTTP request that bypasses Enterprise Infrastructure Security checks, gaining the equivalent of a privileged Tools session without credentials. From there the attacker can read or alter ERP master data, financial transactions, and security configuration, and pivot into connected database and integration servers. …
Remediation Apply the fixes shipped in Oracle's Critical Patch Update for June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html); the CPU contains the Tools update that supersedes 9.2.26.2 - administrators should consult the CPU advisory matrix for the exact target Tools release applicable to their environment, as no fixed version is independently confirmed in the input data beyond 'patch available per vendor advisory.' Until the CPU is applied, restrict network reachability of the JD Edwards HTML Server, AIS Server, and Server Manager endpoints to trusted management networks via firewall or reverse-proxy ACLs, and place a WAF in front of internet- or partner-facing JDE web tiers to filter anomalous HTTP requests - note that AIS REST clients and integrations may break if allowlists are too narrow. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-5645 CRITICAL POC
9.8 Apr 17

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-42013 CRITICAL POC
9.8 Oct 07

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-2733 CRITICAL POC
9.8 Apr 15

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-2351 HIGH POC
8.3 Jul 21

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi

Share

CVE-2026-46909 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy