Skip to main content

Oracle Agile PLM EUVDEUVD-2026-37352

| CVE-2026-46859 CRITICAL
Improper Authentication (CWE-287)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle describes easily exploitable unauthenticated network HTTP attack yielding full product takeover, matching AV:N/AC:L/PR:N/UI:N and C:H/I:H/A:H with no scope change indicated.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:41 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: Security). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in takeover of Oracle Agile PLM. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle Agile PLM 9.3.6 is possible by unauthenticated attackers reaching the application over HTTP, per Oracle's June 2026 Critical Patch Update. The Security component flaw carries a CVSS 3.1 base score of 9.8 with full confidentiality, integrity, and availability impact, and no public exploit identified at time of analysis. Tags indicate information disclosure as a key consequence, though the vector permits complete product compromise.

Technical ContextAI

Oracle Agile PLM is an on-premise Product Lifecycle Management suite used to manage product records, BOMs, change orders, and supplier collaboration across manufacturing organizations. The affected component is identified only as 'Security,' which in Oracle CPU parlance typically encompasses authentication, session management, or access-control layers fronting the application's HTTP interface (cpe:2.3:a:oracle_corporation:oracle_agile_plm:*). No CWE was assigned, but the combination of network attack vector, lack of privileges, and full-takeover impact is consistent with an authentication bypass or pre-auth deserialization/injection flaw in the HTTP front-end - a recurring pattern in legacy Java EE-based Oracle middleware products like Agile PLM 9.3.x.

RemediationAI

Apply the patch shipped in the Oracle Critical Patch Update of June 2026 for Oracle Agile PLM 9.3.6 as described at https://www.oracle.com/security-alerts/cspujun2026.html (Patch available per vendor advisory; no granular fix build number is published outside My Oracle Support). Until patching, restrict network reachability of the Agile PLM HTTP/HTTPS interface to trusted internal networks via firewall ACLs or a reverse proxy with IP allow-listing, and require VPN access for remote users - accepting that this breaks external supplier and partner portals that some deployments expose. Front the application with a WAF tuned to block anomalous requests against Agile PLM URIs and monitor application and web-tier logs for unauthenticated requests reaching privileged endpoints; note that without a published CWE or PoC, WAF signatures will be generic. Do not rely on disabling individual features as Oracle has not identified a specific toggleable component.

Share

EUVD-2026-37352 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy