Skip to main content

Oracle Enterprise Command Center Framework EUVDEUVD-2026-37389

| CVE-2026-46897 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
vuln.today AI
9.9 CRITICAL

Network HTTP exploitation by an authenticated low-privileged user (PR:L), low complexity, scope change into other EBS products, high C/I impact and only partial DoS justifies A:L.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:22 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).

AnalysisAI

Privileged data manipulation and disclosure in Oracle Enterprise Command Center Framework V15 and V16 allows a low-privileged remote attacker over HTTP to gain unauthorized read, modify, and delete access to all framework-accessible data, with scope change extending impact to other Oracle E-Business Suite products. The CVSS 9.9 score reflects low attack complexity, low privileges required, and the scope change that crosses security boundaries into adjacent products. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.

Technical ContextAI

Oracle Enterprise Command Center Framework (ECC) is a component of Oracle E-Business Suite that provides a unified interface to surface, search, and analyze operational data across EBS modules - it embeds a search and analytics layer into EBS application screens. The affected component is identified as 'Core', meaning the foundational framework rather than a specific dashboard. CWE is not assigned by the reporter, but the CVSS vector (PR:L, S:C, C:H/I:H/A:L) is characteristic of authorization-bypass or insufficient access-control flaws in multi-tenant web frameworks where an authenticated low-privileged user can pivot to data and functions belonging to other applications integrated through ECC.

RemediationAI

Apply the patches bundled in Oracle Critical Patch Update June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for Oracle Enterprise Command Center Framework V15 and V16; Oracle does not publish standalone fix version numbers outside the CPU advisory, so consult the CPU patch matrix for the specific patch identifier matching your EBS release. If immediate patching is not feasible, compensating controls include restricting ECC URLs to trusted internal network segments via a reverse proxy or WAF, auditing and reducing the population of low-privileged EBS accounts that can reach ECC dashboards, and enabling EBS access logging to detect anomalous cross-module data access - note these controls reduce exposure but do not close the underlying authorization defect, and over-aggressive URL filtering may break legitimate ECC dashboard embedding within EBS forms.

Share

EUVD-2026-37389 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy