Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Oracle states unauthenticated HTTP access yields full product takeover, so AV:N/AC:L/PR:N/UI:N with C/I/A:H; scope unchanged as compromise is confined to the Tools instance itself.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Remote unauthenticated takeover of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) is possible via the Web Runtime Security component over HTTP, with CVSS 9.8 indicating full compromise of confidentiality, integrity, and availability. No public exploit identified at time of analysis, but the trivial attack complexity and unauthenticated network vector make this a high-priority patching target for any organization running this ERP suite. Oracle disclosed it in the June 2026 Critical Patch Update (CPU).
Technical ContextAI
JD Edwards EnterpriseOne Tools is the runtime and administration layer (HTML Server, Server Manager, web client) that sits in front of the EnterpriseOne ERP application suite - typically deployed as Java-based web tiers reachable from internal user networks or, in many real deployments, exposed via reverse proxies for remote/partner access. The vulnerable component is identified as 'Web Runtime Security', which governs request handling and authentication enforcement for the web tier. Oracle did not publish a CWE and the advisory uses the standard CPU template wording 'takeover'; combined with PR:N/UI:N this language in past Oracle CPUs has typically mapped to authentication bypass or unauthenticated remote code execution in the HTTP request handling path, but the exact root cause class is not disclosed publicly. The single CPE 'cpe:2.3:a:oracle_corporation:jd_edwards_enterpriseone_tools' confirms the Tools layer is in scope rather than the underlying business applications or database.
RemediationAI
Apply the fix delivered in the Oracle Critical Patch Update of June 2026 by upgrading JD Edwards EnterpriseOne Tools to the post-9.2.26.2 release identified in the CPU advisory at https://www.oracle.com/security-alerts/cspujun2026.html (Oracle distributes Tools patches via My Oracle Support - verify the exact target release in the CPU patch availability table). Until the upgrade can be scheduled, restrict network reachability of the EnterpriseOne HTML Server, Server Manager Console, and any other Tools web endpoints to a trusted management VLAN or VPN, and place a WAF or reverse proxy in front of any internet-exposed instance with strict allow-listing of expected URI paths - be aware these network controls do not address insider or compromised-workstation threats and may break legitimate partner integrations that rely on direct HTTP access. Increase logging on the web tier and review access logs for anomalous unauthenticated requests to administrative paths in the interim.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37224