Skip to main content

JD Edwards EnterpriseOne EUVDEUVD-2026-37384

| CVE-2026-46892 CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.1 CRITICAL

HTTP-reachable HR module exploitable without credentials or user interaction (AV:N/AC:L/PR:N/UI:N); full read/write to HR data (C:H/I:H) with no availability impact described (A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:25 vuln.today

DescriptionCVE.org

Vulnerability in the JD Edwards EnterpriseOne Human Resources Management product of Oracle JD Edwards (component: Human Resources). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Human Resources Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Human Resources Management accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Human Resources Management accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Unauthenticated remote compromise of Oracle JD Edwards EnterpriseOne Human Resources Management 9.2 allows network attackers to read and modify all data accessible through the Human Resources component via crafted HTTP requests. Oracle rates this CVSS 9.1 with high confidentiality and integrity impact but no availability impact, and labels it 'easily exploitable.' No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed JD Edwards EnterpriseOne HTML server
Delivery
Enumerate Human Resources Management endpoints
Exploit
Send crafted unauthenticated HTTP request
Execution
Bypass authorization check on HR servlet
Persist
Read or modify HR records
Impact
Exfiltrate PII/payroll data

Vulnerability AssessmentAI

Exploitation Attacker needs network HTTP/HTTPS reachability to an Oracle JD Edwards EnterpriseOne 9.2 deployment that has the Human Resources Management module enabled and exposed via the EnterpriseOne HTML/web server tier; no credentials, no user interaction, and no scope change are required (PR:N/UI:N/S:U). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N indicates a network-reachable, low-complexity, no-auth, no-user-interaction flaw with full impact to confidentiality and integrity of HR data, and Oracle itself describes it as 'easily exploitable' - all strong signals that this should be patched promptly on any internet- or partner-exposed JD Edwards tier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the JD Edwards EnterpriseOne HTML/web server (for example via an exposed intranet portal, partner extranet, or compromised VPN foothold) sends a crafted HTTP request to a Human Resources Management endpoint and, without supplying credentials, reads or modifies HR records such as employee compensation, personal data, or benefits enrollment. No POC is referenced in the available intelligence, but Oracle's own 'easily exploitable / unauthenticated / network' framing suggests a single-request exploitation pattern is plausible once the vulnerable endpoint is identified.
Remediation Apply the fixes from the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html); the advisory bundles the JD Edwards EnterpriseOne Human Resources Management 9.2 patch - install the CPU-referenced bundle/Tools release for your 9.2 environment as soon as your change window permits, since exact fix version is published only inside the CPU matrix. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Oracle JD Edwards 9.2 systems running the HR module and assess their network accessibility. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37384 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy