Skip to main content

Oracle Siebel CRM EUVDEUVD-2026-37239

| CVE-2026-46921 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

HTTP-reachable management component (AV:N), Oracle states easily exploitable (AC:L), requires a low-privileged Siebel account (PR:L), no user interaction, and yields full takeover (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:09 vuln.today

DescriptionCVE.org

Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel CRM Cloud Applications. Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Siebel CRM Cloud Applications versions 17.0 through 26.5 allows a low-privileged remote attacker to fully compromise the Siebel Cloud Manager component over HTTP. Oracle rates the flaw 8.8 with full CIA impact, and no public exploit identified at time of analysis, but the low attack complexity and low privilege requirement make this a high-priority patch for any internet-exposed Siebel deployment.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged Siebel credential
Delivery
Reach Cloud Manager HTTP endpoint
Exploit
Send crafted request abusing flaw
Execution
Escalate to administrative control
Impact
Exfiltrate CRM data and tamper records

Vulnerability AssessmentAI

Exploitation The attacker must (1) have network HTTP reachability to the Siebel Cloud Manager component of an Oracle Siebel CRM Cloud Applications instance running any version between 17.0 and 26.5, and (2) hold valid credentials for a low-privileged Siebel account (PR:L in the CVSS vector - unauthenticated exploitation is not in scope per Oracle). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H paints a serious picture: reachable over the network, no user interaction, low attack complexity, and full impact on confidentiality, integrity, and availability - with only a low-privileged account standing between the attacker and 'takeover of Siebel CRM Cloud Applications' as Oracle explicitly phrases it. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been issued a low-privileged Siebel account - for example a partner-portal login, a junior sales user, or a credential harvested via phishing - sends crafted HTTP requests to the Siebel Cloud Manager component and abuses the flaw to escalate to administrative control of the Siebel CRM Cloud Applications tenant. From there they can exfiltrate the full CRM database (customers, opportunities, pricing), tamper with records, or disrupt the service. …
Remediation Apply the fixes delivered in Oracle's June 2026 Critical Patch Update for Siebel CRM as documented at https://www.oracle.com/security-alerts/cspujun2026.html - the specific patched build number is not enumerated in the advisory metadata supplied here, so confirm the exact fix level against the CPU matrix before deployment (Patch available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Siebel deployments to identify affected versions (17.0-26.5) and map network exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37239 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy