Skip to main content

JD Edwards EnterpriseOne Tools CVE-2026-46913

| EUVDEUVD-2026-37232 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.3
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.3 CRITICAL
AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Oracle's 'logon to the infrastructure' wording means an OS account is required, so PR:L is more honest than PR:N; AV:L, AC:L, S:C and full CIA impact follow the description.

3.1 AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:13 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Installation Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where JD Edwards EnterpriseOne Tools executes to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Full takeover of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 is achievable by an attacker with local logon access to the host running the Installation Security component, requiring no application credentials. The flaw carries a CVSS 3.1 base score of 9.3 with a scope change, meaning successful exploitation can pivot beyond JD Edwards into adjacent enterprise products on the same infrastructure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain local logon on JD Edwards Tools host
Delivery
Enumerate Installation Security artifacts
Exploit
Abuse insecure default to escalate
Execution
Hijack Tools service context
Persist
Pivot via scope change to related Oracle components
Impact
Take over EnterpriseOne ERP environment

Vulnerability AssessmentAI

Exploitation The attacker must already have a valid logon session on the operating-system host where JD Edwards EnterpriseOne Tools 9.2.0.0-9.2.26.2 executes - this can be any non-privileged local or remote interactive account (SSH, RDP, console), and no JD Edwards application credentials are required, which is why Oracle scores PR:N despite AV:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are partially conflicting and should be interpreted carefully: CVSS 9.3 with C:H/I:H/A:H and S:C indicates catastrophic impact, but AV:L confines the attack to actors who already have a local logon on the JD Edwards host, materially reducing the population of capable attackers compared to a network-exposed RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A contractor or low-tier IT operator with shell or RDP access to the Windows or Unix host that runs JD Edwards EnterpriseOne Tools abuses an insecure default in the Installation Security component to overwrite or read a privileged Tools artifact, gaining control of the Tools service account. Because the vulnerability has scope change, that control extends into related Oracle products co-resident on the host such as Server Manager, WebLogic deployments, or the configured database connections, yielding full ERP compromise. …
Remediation Apply the fix delivered in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html); Oracle's CPU model means the patch is shipped as the next Tools release after 9.2.26.2 and customers should upgrade to that level or later as the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all JD Edwards installations running versions 9.2.0.0-9.2.26.2 and identify which servers host the Installation Security component. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-5645 CRITICAL POC
9.8 Apr 17

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-42013 CRITICAL POC
9.8 Oct 07

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-2733 CRITICAL POC
9.8 Apr 15

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-2351 HIGH POC
8.3 Jul 21

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi

Share

CVE-2026-46913 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy