Skip to main content

JD Edwards EnterpriseOne Tools EUVDEUVD-2026-37231

| CVE-2026-46912 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.3
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
vuln.today AI
9.3 CRITICAL

Network-reachable HTTP endpoint with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); scope change into downstream apps (S:C); full read but partial write and no DoS (C:H/I:L/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:13 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data as well as unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).

AnalysisAI

Unauthenticated remote compromise of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 via the Web Runtime Security component allows attackers with HTTP access to read all data the product can reach and modify a subset of it, with a scope change that propagates impact to other integrated products. Oracle rates the issue 9.3 (CVSS 3.1) and describes it as easily exploitable, and the public tagging as an authentication bypass aligns with the PR:N vector. No public exploit identified at time of analysis and no CISA KEV listing has been recorded.

Technical ContextAI

JD Edwards EnterpriseOne Tools is the runtime, administration, and middleware layer (HTML Server, Server Manager, AIS/JAS web tier) that fronts JD Edwards ERP applications. The flaw sits in the Web Runtime Security subsystem - the code path that enforces authentication and session handling for HTTP-facing services - and the description plus the 'Authentication Bypass' tag indicate the security check can be skipped or coerced over the network. CWE is not assigned in the input, but the behavior (no privileges required, scope change to downstream business modules) is consistent with the CWE-287/CWE-863 authentication or authorization bypass family rather than a memory-corruption class issue. The single CPE (cpe:2.3:a:oracle_corporation:jd_edwards_enterpriseone_tools) confirms the EnterpriseOne Tools tier is the only directly vulnerable product, but the CVSS S:C scope change means attacks pivot into the EnterpriseOne applications and integrated data stores that Tools mediates.

RemediationAI

Apply the fix delivered in the Oracle Critical Patch Update of June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - patch available per vendor advisory; the exact post-9.2.26.2 patched build should be taken from the CPU matrix because the input data does not enumerate a specific fixed release number. Until the CPU is deployed, restrict reachability of the JD Edwards EnterpriseOne HTML Server, Server Manager, and AIS endpoints to trusted management networks via firewall or reverse-proxy ACLs (trade-off: breaks remote administrative and integration access from outside that range), require a VPN or zero-trust proxy in front of the HTTP listener, and enable enhanced web-tier logging plus WAF rules that block anomalous authentication and session-cookie patterns directed at the Web Runtime Security endpoints (trade-off: signature-based WAF rules can be bypassed by minor protocol variation, so treat as detection, not prevention). Do not rely on disabling user accounts - the flaw is pre-authentication, so account hardening alone will not mitigate it.

CVE-2017-5645 CRITICAL POC
9.8 Apr 17

In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events

CVE-2015-1793 MEDIUM POC
6.5 Jul 09

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly

CVE-2017-3730 HIGH POC
7.5 May 04

In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this

CVE-2016-8610 HIGH
7.5 Nov 13

A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto

CVE-2020-11113 HIGH
8.8 Mar 31

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-42013 CRITICAL POC
9.8 Oct 07

It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS

CVE-2020-35728 HIGH
8.1 Dec 27

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-2733 CRITICAL POC
9.8 Apr 15

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)

CVE-2020-9548 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-9547 CRITICAL POC
9.8 Mar 02

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela

CVE-2020-36183 HIGH POC
8.1 Jan 07

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela

CVE-2021-2351 HIGH POC
8.3 Jul 21

Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi

Share

EUVD-2026-37231 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy