Skip to main content

Oracle Enterprise Command Center EUVDEUVD-2026-37221

| CVE-2026-46902 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Vendor describes easy unauthenticated HTTPS exploitation yielding full takeover, so AV:N/AC:L/PR:N/UI:N with C:H/I:H/A:H on an unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:19 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote unauthenticated takeover of Oracle Enterprise Command Center Framework (versions V15 and V16), a component of Oracle E-Business Suite, is possible over HTTPS with low attack complexity. The flaw yields full confidentiality, integrity, and availability impact (CVSS 9.8) on the Core component and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the trivial exploitability profile makes this a high-priority patching target.

Technical ContextAI

Oracle Enterprise Command Center Framework (ECC) is an analytics and visualization layer bundled with Oracle E-Business Suite that lets users explore operational data through faceted search dashboards built on top of EBS data sources. The affected 'Core' subcomponent handles framework-level request processing, and the CPE identifier oracle_enterprise_command_center_framework covers all installed releases of V15 and V16. Oracle did not assign a public CWE, but the combination of unauthenticated network reach plus full CIA impact is consistent with the deserialization, authentication-bypass, or injection classes that have historically plagued the EBS technology stack.

RemediationAI

Apply the patch shipped in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html), which is the vendor-released fix referenced for V15 and V16 - exact post-patch build numbers are enumerated in the CPU matrix rather than this CVE record. Until the CPU can be applied, restrict HTTPS reachability of the ECC endpoints to trusted internal networks via WAF or network ACLs and require VPN access for any external operators, accepting that this will break any partner or remote-user workflows that legitimately consume ECC dashboards; also raise monitoring on ECC servlet paths for anomalous unauthenticated POST traffic.

Share

EUVD-2026-37221 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy