Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Network-reachable HTTP endpoint with no auth or user interaction (AV:N/AC:L/PR:N/UI:N); scope change into downstream apps (S:C); full read but partial write and no DoS (C:H/I:L/A:N).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data as well as unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).
AnalysisAI
Unauthenticated remote compromise of Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2 via the Web Runtime Security component allows attackers with HTTP access to read all data the product can reach and modify a subset of it, with a scope change that propagates impact to other integrated products. Oracle rates the issue 9.3 (CVSS 3.1) and describes it as easily exploitable, and the public tagging as an authentication bypass aligns with the PR:N vector. No public exploit identified at time of analysis and no CISA KEV listing has been recorded.
Technical ContextAI
JD Edwards EnterpriseOne Tools is the runtime, administration, and middleware layer (HTML Server, Server Manager, AIS/JAS web tier) that fronts JD Edwards ERP applications. The flaw sits in the Web Runtime Security subsystem - the code path that enforces authentication and session handling for HTTP-facing services - and the description plus the 'Authentication Bypass' tag indicate the security check can be skipped or coerced over the network. CWE is not assigned in the input, but the behavior (no privileges required, scope change to downstream business modules) is consistent with the CWE-287/CWE-863 authentication or authorization bypass family rather than a memory-corruption class issue. The single CPE (cpe:2.3:a:oracle_corporation:jd_edwards_enterpriseone_tools) confirms the EnterpriseOne Tools tier is the only directly vulnerable product, but the CVSS S:C scope change means attacks pivot into the EnterpriseOne applications and integrated data stores that Tools mediates.
RemediationAI
Apply the fix delivered in the Oracle Critical Patch Update of June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - patch available per vendor advisory; the exact post-9.2.26.2 patched build should be taken from the CPU matrix because the input data does not enumerate a specific fixed release number. Until the CPU is deployed, restrict reachability of the JD Edwards EnterpriseOne HTML Server, Server Manager, and AIS endpoints to trusted management networks via firewall or reverse-proxy ACLs (trade-off: breaks remote administrative and integration access from outside that range), require a VPN or zero-trust proxy in front of the HTTP listener, and enable enhanced web-tier logging plus WAF rules that block anomalous authentication and session-cookie patterns directed at the Web Runtime Security endpoints (trade-off: signature-based WAF rules can be bypassed by minor protocol variation, so treat as detection, not prevention). Do not rely on disabling user accounts - the flaw is pre-authentication, so account hardening alone will not mitigate it.
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly
In OpenSSL 1.1.0 before 1.1.0d, if a malicious server supplies bad parameters for a DHE or ECDHE key exchange then this
A denial of service flaw was found in OpenSSL 0.9.8, 1.0.1, 1.0.2 through 1.0.2h, and 1.1.0 in the way the TLS/SSL proto
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. Rated critical severity (CVS
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Monitoring and Diagnostics)
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, rela
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, rela
Vulnerability in the Advanced Networking Option component of Oracle Database Server. Rated high severity (CVSS 8.3), thi
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37231