Skip to main content

Oracle Enterprise Command Center Framework EUVDEUVD-2026-37388

| CVE-2026-46896 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Network HTTP reachability with low complexity and no user interaction, but requires a high-privileged EBS account (PR:H); scope change and full CIA loss reflect cross-product impact within EBS.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:23 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Privileged takeover of Oracle Enterprise Command Center Framework (ECC) versions V15 and V16, a component of Oracle E-Business Suite, allows a high-privileged authenticated attacker with HTTP network access to fully compromise the ECC component and, through a scope change, significantly impact additional integrated products. Oracle's June 2026 Critical Patch Update advisory rates this CVSS 9.1 (C:H/I:H/A:H with S:C), and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privileged EBS credentials
Delivery
Reach ECC Core HTTP endpoint
Exploit
Send crafted authenticated request
Execution
Take over ECC component
Persist
Pivot across scope boundary into adjacent EBS products
Impact
Exfiltrate or tamper with ERP data

Vulnerability AssessmentAI

Exploitation Exploitation requires a high-privileged authenticated session against the Oracle E-Business Suite web tier with reachability to the Enterprise Command Center Framework Core HTTP endpoints (PR:H, AV:N, AC:L, UI:N), and the target must be running ECC V15 or V16 as part of an EBS deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H yields 9.1 - the high score is driven primarily by the scope change and full CIA impact, not by ease of access, since PR:H means the attacker must already hold high privileges within ECC or the EBS stack. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a high-privileged EBS account - for example via phishing a functional administrator or abusing an over-privileged integration user - authenticates to the EBS web tier and issues crafted HTTP requests to an Oracle Enterprise Command Center Framework Core endpoint, taking over the ECC component. Because the flaw triggers a CVSS scope change, the attacker then leverages ECC's trust relationships to read or modify data and services in adjacent EBS products on the same middle tier. …
Remediation Apply the patches from Oracle's June 2026 Critical Patch Update for Oracle E-Business Suite (https://www.oracle.com/security-alerts/cspujun2026.html), which is the only vendor-released remediation identified for ECC V15 and V16; an exact post-patch ECC build string is not enumerated in the input, so administrators should consult the CPU patch matrix for their EBS release to identify the specific ECC bundle patch. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Oracle E-Business Suite deployments running ECC V15 or V16; enumerate all user accounts with administrative access to ECC consoles. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37388 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy