Skip to main content

Oracle Enterprise Command Center Framework EUVDEUVD-2026-37220

| CVE-2026-46901 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
vuln.today AI
9.9 CRITICAL

HTTP-reachable Core component exploitable by any low-privileged EBS user (AV:N/AC:L/PR:L/UI:N); scope change into other EBS modules yields C:H/I:H with only partial DoS (A:L).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:20 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).

AnalysisAI

Scope-changing compromise in Oracle Enterprise Command Center Framework V15 and V16 (a component of Oracle E-Business Suite) allows a low-privileged remote attacker to read, modify, or delete all framework-accessible data and partially disrupt service via HTTP. Because CVSS scope is Changed, exploitation impacts additional Oracle E-Business Suite products beyond the Framework itself, driving the 9.9 base score. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Oracle Enterprise Command Center Framework (ECC) is a guided-navigation and visualization layer embedded in Oracle E-Business Suite (EBS), used to render analytic dashboards backed by an Endeca-derived search/index engine. The 'Core' component handles request routing, session context, and data retrieval between the EBS application tier and the ECC service. No CWE is assigned, but the CVSS profile (AV:N/AC:L/PR:L, Scope:Changed, C:H/I:H/A:L) combined with the tag 'Authentication Bypass' is consistent with an authorization or trust-boundary flaw in the Core component that lets an authenticated EBS user reach data and operations outside their intended security context, propagating impact to other EBS modules sharing the ECC trust boundary.

RemediationAI

Apply the patches delivered in Oracle's June 2026 Critical Patch Update for Oracle Enterprise Command Center Framework V15 and V16 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; an exact post-patch build number is not enumerated in the available data, so consult the CPU advisory matrix to map your ECC release to the correct one-off patch. Until the CPU can be applied, restrict network reachability of the ECC URLs (typically under the EBS /OA_HTML/ context) to trusted internal users via WAF or reverse-proxy ACLs, tighten EBS responsibility assignments so that low-privilege users cannot reach ECC dashboards, and increase auditing of ECC Core requests - these controls reduce exposure but will disrupt legitimate ECC dashboard usage for the blocked user populations. Do not rely on perimeter controls alone, as the CVSS scope change means a single compromised low-privilege account can pivot into other EBS modules.

Share

EUVD-2026-37220 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy