Skip to main content

Oracle Enterprise Manager EUVDEUVD-2026-37368

| CVE-2026-46875 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

OEM management interface is network-reachable over HTTPS (AV:N/AC:L), exploitation requires an OEM super-admin (PR:H), no user interaction, and Deployment Library abuse crosses into managed products (S:C) with full C/I/A.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:33 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Deployment Library). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Deployment Library component, where a high-privileged attacker with HTTPS network access can fully compromise the platform and pivot into other managed Oracle products through a scope change. No public exploit identified at time of analysis, but the CVSS 3.1 score of 9.1 reflects severe confidentiality, integrity, and availability impact across multiple downstream systems. Patched via Oracle Critical Patch Update advisory cspujun2026.

Technical ContextAI

Oracle Enterprise Manager (OEM) Base Platform is Oracle's centralized management framework for databases, middleware, engineered systems, and cloud workloads. The vulnerable Deployment Library component is responsible for storing and distributing software components, patches, and provisioning artifacts to managed targets - meaning code originating from this library is implicitly trusted by downstream agents. No CWE is assigned by Oracle, but the scope-change behavior (CVSS S:C) combined with the Deployment Library's role suggests improper authorization or trust boundary handling that lets an authenticated administrative actor abuse deployment-distribution logic to act against other Oracle products managed by the platform. The CPE string cpe:2.3:a:oracle_corporation:oracle_enterprise_manager_base_platform identifies the specific affected SKU.

RemediationAI

Apply the patches from the Oracle Critical Patch Update of June 2026 referenced at https://www.oracle.com/security-alerts/cspujun2026.html, which is the vendor-released fix for OEM Base Platform 13.5 and 24.1; exact patched build numbers are listed in the Oracle advisory matrix and should be matched to your OEM release. Until patching is possible, reduce the population of accounts with high OEM privileges (SUPER_USER, EM_ALL_ADMINISTRATOR, and Deployment Library roles), enforce MFA and jump-host access for the OMS console and EM CLI, and restrict HTTPS access to the OEM console and Deployment Library endpoints to a management VLAN - note that tightening role membership may temporarily block legitimate provisioning workflows, and network restrictions can interfere with remote DBA access if not coordinated. Audit Deployment Library activity and OMS access logs for anomalous high-privilege actions in the interim.

CVE-2026-46855 CRITICAL
9.9 Jun 16

Full takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible by a low-privileged remote attacker v

CVE-2026-46852 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 is possible through the Metadata P

CVE-2026-46854 CRITICAL
9.9 Jun 16

Privilege escalation and full takeover in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Target Management compo

CVE-2026-46832 CRITICAL
9.9 Jun 16

Privileged takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible through the Discovery Framework

CVE-2026-46857 CRITICAL
9.8 Jun 16

Remote code execution in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1 allows unauthenticated network a

CVE-2026-46856 CRITICAL
9.6 Jun 16

Remote takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible when an unauthenticated attacker ov

CVE-2026-46853 CRITICAL
9.6 Jun 16

Cross-scope takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthenticated remote attackers to

CVE-2026-46872 CRITICAL
9.0 Jun 16

Privileged remote tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Install component) allows an authe

CVE-2026-46864 HIGH
8.8 Jun 16

Authenticated takeover of Oracle Enterprise Manager Base Platform 13.5 and 24.1 is possible via the Agent Next Gen compo

CVE-2026-46866 HIGH
8.2 Jun 16

Remote denial-of-service and data tampering in Oracle Enterprise Manager Base Platform 13.5 and 24.1 allows unauthentica

CVE-2026-46865 HIGH
8.2 Jun 16

Privileged local compromise in Oracle Enterprise Manager Base Platform 13.5 and 24.1 (Extensibility Framework component)

CVE-2026-46868 HIGH
7.2 Jun 16

Full takeover of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1) is possible by an authenticated, high-

Share

EUVD-2026-37368 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy