Skip to main content

Oracle Enterprise Manager EUVDEUVD-2026-37348

| CVE-2026-46855 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable OMS over HTTPS (AV:N), low complexity per Oracle (AC:L), requires any low-priv EM account (PR:L), no user interaction, and scope-changed full takeover yields C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:43 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker via HTTPS, exploiting the Metadata Plugin component. The scope-changed flaw (CVSS 9.9) lets an attacker pivot to impact additional Oracle products beyond EM itself, and no public exploit identified at time of analysis.

Technical ContextAI

Oracle Enterprise Manager Base Platform is the central management console used to monitor and administer Oracle databases, middleware, engineered systems, and cloud workloads. The vulnerable Metadata Plugin component handles plugin metadata definitions consumed by the OMS (Oracle Management Server) over HTTPS. Although no CWE was assigned in the input, the CVSS scope change (S:C) combined with high CIA impact on additional products is characteristic of an authorization or input-handling defect in a privileged management endpoint that bridges trust boundaries between EM and the targets it manages.

RemediationAI

Apply Patch available per vendor advisory by installing the fixes for Oracle Enterprise Manager Base Platform 13.5 and 24.1 delivered in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html); exact patched build numbers should be taken directly from the CPU matrix as Oracle releases bundle patches per platform. Until the CPU is deployed, restrict network access to the OMS HTTPS console and upload endpoints to trusted management VLANs and jump hosts, tighten EM role assignments so that only essential operator accounts have any EM privileges (reducing the attack surface for the PR:L precondition), and monitor EM audit logs for unexpected Metadata Plugin operations or new plugin deployments. These compensating controls trade off some operator convenience and remote administration but do not replace the CPU patch, which is the only authoritative fix.

CVE-2026-46852 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata P

CVE-2026-46854 CRITICAL
9.9 Jun 16

Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management compo

CVE-2026-46832 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework

CVE-2026-46857 CRITICAL
9.8 Jun 16

Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network a

CVE-2026-46856 CRITICAL
9.6 Jun 16

Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker ov

CVE-2026-46853 CRITICAL
9.6 Jun 16

Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to

CVE-2026-46875 CRITICAL
9.1 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library comp

CVE-2026-46872 CRITICAL
9.0 Jun 16

Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authe

CVE-2026-46864 HIGH
8.8 Jun 16

Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen compo

CVE-2026-46866 HIGH
8.2 Jun 16

Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthentica

CVE-2026-46865 HIGH
8.2 Jun 16

Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component)

CVE-2026-46868 HIGH
7.2 Jun 16

Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-

Share

EUVD-2026-37348 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy