Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
JDENET is network-reachable (AV:N), exploitation is straightforward (AC:L), a valid low-privileged JD Edwards account is required (PR:L), no user interaction, and the flaw crosses module boundaries (S:C) with high confidentiality/integrity but no availability impact.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Project Costing product of Oracle JD Edwards (component: Job Costing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Project Costing. While the vulnerability is in JD Edwards EnterpriseOne Project Costing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Project Costing accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Project Costing accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
AnalysisAI
Cross-product compromise in Oracle JD Edwards EnterpriseOne Project Costing 9.2 (Job Costing component) allows a low-privileged attacker with network access via the JDENET protocol to read, modify, or delete all data accessible to the Project Costing module and to impact additional adjacent products through a scope change. Oracle rates this 9.6 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and there is no public exploit identified at time of analysis, with the issue tracked as EUVD-2026-37230.
Technical ContextAI
JD Edwards EnterpriseOne is Oracle's ERP suite, and Project Costing is the module that tracks costs, budgets, and billing across projects and jobs. Communication between EnterpriseOne components (enterprise server, HTML server, deployment server) flows over JDENET, Oracle's proprietary TCP-based middleware protocol used for kernel calls and inter-process messaging. The CPE cpe:2.3:a:oracle_corporation:jd_edwards_enterpriseone_project_costing scopes the flaw to the Project Costing application, and the scope-change (S:C) indicator combined with the Oracle-supplied 'Authentication Bypass' tag suggests the Job Costing component fails to properly enforce authorization on a JDENET-reachable function, letting an authenticated session reach data or operations belonging to other JD Edwards modules or security domains. No CWE was assigned by Oracle, but the behavior is consistent with broken access control / privilege boundary failure across a trust boundary.
RemediationAI
Apply the fixes shipped in Oracle's June 2026 Critical Patch Update for JD Edwards EnterpriseOne 9.2 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; a specific patched build number was not provided in the input, so administrators should pull the exact Project Costing / Tools Release patch identifier directly from the CPU advisory and MOS notes. Until patching is complete, restrict the JDENET port (typically TCP 6015-6017 and the configured kernel ports in jde.ini) to known enterprise/HTML server hosts via host firewalls or network ACLs so untrusted clients cannot speak JDENET, accepting that this may break ad-hoc integrations or thick-client connections from unmanaged subnets. Additionally, audit and tighten JD Edwards role and security workbench entitlements for the Project Costing / Job Costing applications to minimise the population of low-privileged accounts that could trigger the flaw, recognising this is a hardening measure rather than a fix.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37230