Skip to main content

Oracle Siebel CRM EUVDEUVD-2026-37381

| CVE-2026-46889 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Oracle describes easy unauthenticated HTTP exploitation resulting in full takeover of the Marketing component, with no scope change beyond that module, justifying full CIA:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:27 vuln.today

DescriptionCVE.org

Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Unauthenticated remote takeover of Oracle Siebel Apps - Marketing (versions 17.0 through 26.5) is possible via HTTP, allowing attackers to fully compromise confidentiality, integrity, and availability of the marketing component. Oracle's CVSS 3.1 base score of 9.8 reflects trivial network exploitability with no authentication or user interaction, and no public exploit identified at time of analysis. The flaw was disclosed in Oracle's Critical Patch Update cycle and tracked in ENISA's EUVD as EUVD-2026-37381.

Technical ContextAI

Siebel Apps - Marketing is the marketing automation module of Oracle's Siebel CRM suite, used by enterprises for campaign management, segmentation, and customer outreach. The affected CPE (cpe:2.3:a:oracle_corporation:siebel_apps_-_marketing) covers all versions from 17.0 (the start of Siebel Innovation Pack 17) through 26.5. Oracle did not assign a CWE and provided no technical detail beyond the CVSS vector, but the AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H profile combined with HTTP as the attack channel is typical of unauthenticated injection, deserialization, or authentication-bypass classes in Java/web-tier components of Siebel.

RemediationAI

Apply the patch from Oracle's June 2026 Critical Patch Update as documented at https://www.oracle.com/security-alerts/cspujun2026.html; Patch available per vendor advisory but the exact fixed Siebel Innovation Pack or quick-fix bundle number is not enumerated in the input and should be retrieved directly from the CPU matrix for your installed version. As compensating controls until patching, restrict HTTP access to the Siebel Marketing component to known administrative and campaign-operator source networks via WAF or network ACLs, disable any externally exposed Marketing servlets or endpoints that are not in active use, and increase web-tier logging to capture anomalous POST bodies and authentication failures - note that restricting network access will block legitimate remote marketing users and external integrations such as email service providers calling back into Siebel.

Share

EUVD-2026-37381 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy