Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
HTTP-reachable service (AV:N), low complexity per Oracle (AC:L), requires a low-privileged Tools account (PR:L), no UI, and authorization break across components causes scope change with high C/I but no availability impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Tools accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
AnalysisAI
Privilege escalation and scope-change attack in Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 allows a low-privileged attacker with HTTP network access to compromise the Enterprise Infrastructure Security component and impact additional connected products. Successful exploitation yields full read access and the ability to create, modify, or delete all data accessible to JD Edwards EnterpriseOne Tools. No public exploit identified at time of analysis, and the issue was reported by Oracle as part of the June 2026 Critical Patch Update.
Technical ContextAI
JD Edwards EnterpriseOne Tools is the runtime, middleware, and security infrastructure layer that underpins Oracle's JD Edwards EnterpriseOne ERP suite, exposing HTTP-based services for application server administration, security configuration, and inter-component communication. The flaw resides in the Enterprise Infrastructure Security component (CPE cpe:2.3:a:oracle_corporation:jd_edwards_enterpriseone_tools), which handles authentication, authorization, and trust boundaries between Tools and downstream EnterpriseOne applications. While the CVE record lists CWE as N/A, the Oracle-supplied tag 'Authentication Bypass' combined with the CVSS scope change (S:C) indicates the weakness most likely lies in improper authorization or trust validation across component boundaries, where a low-privileged Tools user can break out of their security context to act on resources owned by other JD Edwards products.
RemediationAI
Patch available per Oracle's June 2026 Critical Patch Update advisory at https://www.oracle.com/security-alerts/cspujun2026.html; apply the EnterpriseOne Tools release issued in that CPU (a version above 9.2.26.2) as the primary fix. Until patching is possible, compensating controls include restricting HTTP access to the EnterpriseOne Tools administrative and security endpoints to a trusted management VLAN or via reverse-proxy ACLs (side effect: may block legitimate remote admin consoles), tightening Tools role assignments to remove unnecessary low-privilege accounts that could be abused (side effect: operational friction for power users), and enabling enhanced audit logging on the Enterprise Infrastructure Security component to detect anomalous cross-product data access (side effect: increased log volume and storage). Do not expose JD Edwards EnterpriseOne Tools HTTP services directly to the internet.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37225