Skip to main content

JD Edwards EnterpriseOne Tools CVE-2026-46910

| EUVDEUVD-2026-37229 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
vuln.today AI
9.1 CRITICAL

HTTP-reachable, unauthenticated, no UI per Oracle; high confidentiality and DoS impact, no integrity change, no scope change beyond the Tools tier.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:15 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

AnalysisAI

Unauthenticated remote compromise in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows network attackers to obtain unauthorized access to critical data and cause a complete denial of service via HTTP against the Enterprise Infrastructure Security component. Oracle rates this 9.1 (CVSS 3.1) reflecting high confidentiality and availability impact with no authentication or user interaction required, though no public exploit identified at time of analysis and it is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed JDE Tools HTTP endpoint
Delivery
Send crafted unauthenticated HTTP request
Exploit
Bypass Enterprise Infrastructure Security checks
Execution
Read sensitive ERP data or trigger crash
Impact
Exfiltrate data or sustain DoS

Vulnerability AssessmentAI

Exploitation Exploitation requires only network HTTP reachability to a JD Edwards EnterpriseOne Tools 9.2.0.0-9.2.26.2 deployment exposing the Enterprise Infrastructure Security component (typically the HTML Server / JAS or Server Manager web tier); no credentials, no user interaction, and no non-default configuration are called out by Oracle. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to high real-world risk: CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N is the worst-case exposure profile (internet-reachable, no auth, no user interaction, low complexity), and the affected product is a high-value ERP infrastructure tier often exposed to intranets or partner networks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker on the internet, or on a flat corporate network with route to the JDE HTML Server, sends a crafted HTTP request to the Enterprise Infrastructure Security component without supplying credentials. The request bypasses authentication to read sensitive ERP data accessible to Tools (financial records, employee data, supplier information) and can also be sent in a form that triggers a repeatable hang or crash, taking the JDE Tools tier offline for all users. …
Remediation Apply Patch available per vendor advisory - install the fixes shipped in Oracle's June 2026 Critical Patch Update at https://www.oracle.com/security-alerts/cspujun2026.html, which addresses JD Edwards EnterpriseOne Tools through 9.2.26.2; Oracle does not publish a discrete fixed version number in the public advisory, so confirm the target Tools release via My Oracle Support before scheduling. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running Oracle JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.2; enable enhanced monitoring and logging on the Enterprise Infrastructure Security component for anomalous access attempts. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-5645 CRITICAL POC
9.8 Apr 17

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-42013 CRITICAL POC
9.8 Oct 07

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-2733 CRITICAL POC
9.8 Apr 15

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-2351 HIGH POC
8.3 Jul 21

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi

Share

CVE-2026-46910 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy