Skip to main content

Oracle Enterprise Command Center Framework EUVDEUVD-2026-37387

| CVE-2026-46895 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Network-reachable HTTP endpoint (AV:N), low complexity (AC:L), requires a low-privileged EBS account per description (PR:L), no user interaction (UI:N), scope change into other EBS modules (S:C), full takeover (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:23 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privilege escalation and full takeover of Oracle Enterprise Command Center Framework (versions V15 and V16) is achievable by a low-privileged remote attacker over HTTP, with a scope change that lets the compromise impact other Oracle E-Business Suite components. The flaw carries a CVSS 3.1 base score of 9.9 (C:H/I:H/A:H, S:C). No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

Oracle Enterprise Command Center Framework (ECC) is an analytics and discovery layer bundled with Oracle E-Business Suite (EBS) that exposes data-driven dashboards over HTTP through the EBS application tier. The advisory identifies the affected component as 'Core', meaning the framework's central request-handling/authorization logic rather than a specific dashboard plugin. No CWE is assigned in the input, but the CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C, full C/I/A impact) is characteristic of an authorization or trust-boundary flaw where a low-privileged session can pivot beyond ECC into adjoining EBS modules sharing the same application tier. The affected CPE 'cpe:2.3:a:oracle_corporation:oracle_enterprise_command_center_framework:*' covers all releases of ECC V15 and V16 per the ENISA EUVD record (EUVD-2026-37387).

RemediationAI

Patch available per vendor advisory: apply the Oracle Critical Patch Update of June 2026 for Oracle E-Business Suite as documented at https://www.oracle.com/security-alerts/cspujun2026.html, which delivers the fix for both ECC V15 and V16 - Oracle does not publish discrete patched ECC build numbers in the input data, so administrators should follow the CPU's per-product patch matrix to identify the exact bundle for their EBS release. Until the CPU is applied, restrict network reachability of the EBS application tier (and specifically the ECC URLs under /OA_HTML/ and /ecc/) to trusted corporate networks or VPN clients via the reverse proxy or WAF, accepting that this breaks external user dashboards; tighten EBS responsibility assignments so the pool of users holding even low-privileged ECC access is minimized, accepting added administrative overhead; and increase monitoring of EBS access logs for anomalous low-privilege users hitting ECC endpoints. Do not rely on these compensating controls as a long-term substitute for the CPU.

Share

EUVD-2026-37387 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy