Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
JDENET is network-reachable (AV:N), exploitation is straightforward (AC:L), a valid low-privileged JD Edwards account is required (PR:L), no user interaction, and the flaw crosses module boundaries (S:C) with high confidentiality/integrity but no availability impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Project Costing product of Oracle JD Edwards (component: Job Costing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Project Costing. While the vulnerability is in JD Edwards EnterpriseOne Project Costing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Project Costing accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Project Costing accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
AnalysisAI
Cross-product compromise in Oracle JD Edwards EnterpriseOne Project Costing 9.2 (Job Costing component) allows a low-privileged attacker with network access via the JDENET protocol to read, modify, or delete all data accessible to the Project Costing module and to impact additional adjacent products through a scope change. Oracle rates this 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and there is no public exploit identified at time of analysis, with the issue tracked as EUVD-2026-37230.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have network reachability to a JD Edwards EnterpriseOne 9.2 server speaking the JDENET protocol (the proprietary middleware port exposed by the enterprise/HTML server) and must hold a valid low-privileged JD Edwards account (PR:L) - fully anonymous exploitation is not in scope per the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 9.6 is driven by network attack vector, low complexity, only low privileges required, no user interaction, and a scope change that elevates confidentiality and integrity impact to High across additional products; availability is unaffected (A:N), so this is a data-integrity and data-disclosure issue rather than a denial-of-service one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A user with a low-privileged JD Edwards account (for example, a self-service project employee or contractor) authenticates to the EnterpriseOne environment and sends a crafted JDENET request to the Job Costing component, which fails to enforce authorization and lets the attacker read or alter cost, budget, and billing records - and, due to the scope change, data in adjacent JD Edwards modules - manipulating financial figures or exfiltrating sensitive project data. No public exploit identified at time of analysis, but the low attack complexity and minimal privilege requirement make weaponisation by a malicious insider or a compromised low-trust account straightforward once the JDENET endpoint is reachable. |
| Remediation | Apply the fixes shipped in Oracle's June 2026 Critical Patch Update for JD Edwards EnterpriseOne 9.2 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; a specific patched build number was not provided in the input, so administrators should pull the exact Project Costing / Tools Release patch identifier directly from the CPU advisory and MOS notes. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Restrict JDENET protocol access to trusted networks only; audit Project Costing 9.2 access logs for unauthorized data modifications; revoke unnecessary low-privilege account access to the Job Costing component. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37230