Skip to main content

Oracle Siebel CRM EUVDEUVD-2026-37380

| CVE-2026-46888 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
7.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.8 HIGH

Local logon required (AV:L) with a low-privileged account (PR:L), no user interaction, and Oracle's own wording 'easily exploitable' supports AC:L; takeover of the deployment yields full C/I/A impact.

3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:27 vuln.today

DescriptionCVE.org

Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Database Upgrade). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Siebel CRM Deployment executes to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in takeover of Siebel CRM Deployment. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Local privilege escalation in Oracle Siebel CRM Deployment (Database Upgrade component) versions 17.0 through 26.5 allows a low-privileged user with logon access to the host running the deployment to fully compromise the Siebel CRM Deployment instance. The flaw carries a CVSS 3.1 base score of 7.8 with high impact across confidentiality, integrity, and availability, and was disclosed in the Oracle Critical Patch Update advisory (cspujun2026). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged logon on Siebel deployment host
Delivery
Locate vulnerable Database Upgrade component
Exploit
Trigger flawed upgrade code path locally
Execution
Escalate within Siebel CRM Deployment
Impact
Take over deployment instance and tamper with upgrade artifacts

Vulnerability AssessmentAI

Exploitation Attacker must already hold a valid low-privileged OS-level logon on the specific host where the Siebel CRM Deployment / Database Upgrade component executes (AV:L, PR:L); the target must be running Oracle Siebel CRM Deployment version 17.0 through 26.5 with the unpatched Database Upgrade component present. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) describes an easily exploitable local attack by an already-authenticated low-privileged user that yields complete takeover of the deployment component - a classic local privilege escalation pattern rather than a remote internet-facing risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An operator, DBA, or compromised service account with ordinary low-privilege logon to a Siebel CRM Deployment host triggers the vulnerable Database Upgrade code path - for example by invoking, racing, or substituting a file or argument consumed by a higher-privileged deployment process - and gains full control over the Siebel CRM Deployment instance, allowing tampering with upgrade scripts, schema content, and connection credentials. No public exploit identified at time of analysis, so an attacker would need to reverse-engineer the patched component or rely on internal knowledge of the upgrade workflow.
Remediation Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (cspujun2026) to all Siebel CRM Deployment instances in the 17.0-26.5 range; consult https://www.oracle.com/security-alerts/cspujun2026.html for the exact patch IDs that correspond to your installed version, as the input data does not name a specific fixed build (Patch available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all systems running Oracle Siebel CRM Deployment versions 17.0-26.5 and document current host user access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37380 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy