Skip to main content

JD Edwards EnterpriseOne EUVDEUVD-2026-37383

| CVE-2026-46891 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

HTTP-reachable EnterpriseOne web tier (AV:N/AC:L), any authenticated low-privilege user suffices (PR:L), no UI; full read/write to AP data gives C:H/I:H, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:26 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne Accounts Payable product of Oracle JD Edwards (component: Accounts Payable). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Accounts Payable. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Accounts Payable accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Accounts Payable accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

High-impact data tampering and disclosure in Oracle JD Edwards EnterpriseOne Accounts Payable 9.2 allows a low-privileged attacker with HTTP network access to read, create, modify, or delete all data accessible to the Accounts Payable component. Oracle rates the flaw as easily exploitable with CVSS 8.1, and no public exploit identified at time of analysis. The bug threatens financial data integrity, making it directly relevant to SOX, audit, and fraud-control programs.

Technical ContextAI

JD Edwards EnterpriseOne is Oracle's ERP suite; the Accounts Payable module handles vendor invoices, payments, and supplier master data within the EnterpriseOne HTML/web tier accessed over HTTP. Although Oracle and the source feed do not assign a CWE, the combination of HTTP attack surface, low-privilege precondition, and high confidentiality/integrity impact (C:H/I:H, A:N) is characteristic of broken access control or authorization-bypass classes (CWE-285/CWE-862/CWE-863) - typical of EnterpriseOne issues where an authenticated user can invoke AP functions or data objects outside their assigned role. CPE coverage (cpe:2.3:a:oracle_corporation:jd_edwards_enterpriseone_accounts_payable) and the Oracle CPU advisory both scope the issue to the Accounts Payable component rather than the EnterpriseOne platform as a whole.

RemediationAI

Apply Oracle's June 2026 Critical Patch Update fixes for JD Edwards EnterpriseOne 9.2 Accounts Payable as documented at https://www.oracle.com/security-alerts/cspujun2026.html - patch available per vendor advisory; the exact fix tools-release/bundle should be taken directly from that CPU rather than inferred. Until the CPU is deployed, reduce blast radius by tightening role-based security on Accounts Payable applications and BSFNs (for example P0411, P04571, P0413M and related AP UBEs), removing the AP role from any generic or test users, and restricting HTTP access to the EnterpriseOne HTML Server to trusted networks via WAF or VPN ACLs - note this will block legitimate remote AP processing for users outside those networks. Enable EnterpriseOne security workbench auditing and database-level logging on F0411/F0413/F0414 to detect unauthorized creation or modification of invoices and payments during the exposure window.

Share

EUVD-2026-37383 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy