Description
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.26.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
Published: 2026-01-20
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized data modification and exposure
Action: Patch Immediately
AI Analysis

Impact

The JD Edwards EnterpriseOne Tools product is vulnerable through its Web Runtime SEC component, allowing an unauthenticated attacker with HTTP network access to execute a browser‑based exploit that enables unauthorized read, insert, update, or delete of data. The flaw, classified as CWE‑79, compromises the confidentiality and integrity of the system, and because it requires the attacker to trick a non‑attacker user into interacting with malicious content, the attack is not immediate but can have significant consequences once triggered.

Affected Systems

The vulnerability affects Oracle JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.0. Oracle issued an advisory for these releases, and the listed component is the Web Runtime SEC.

Risk and Exploitability

With a CVSS 3.1 base score of 6.1 and an EPSS below 1 percent, the flaw represents a moderate‑severity risk with a very low likelihood of exploitation in the wild. It is not yet catalogued in the CISA KEV list. The attack vector is network‑based over HTTP, and the attacker requires the cooperation of a legitimate user to complete the exploit; however, the flaw can also affect other products, potentially extending its scope beyond the initially targeted instance.

Generated by OpenCVE AI on April 18, 2026 at 04:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle CPU January 2026 patch for JD Edwards EnterpriseOne Tools as outlined in the advisory.
  • Limit inbound HTTP traffic to JD Edwards EnterpriseOne Tools to trusted IP ranges or subnetworks to reduce exposure.
  • Enforce strong authentication and session management for the Web Runtime SEC component to prevent unauthorized interaction from compromised browsers.
  • Monitor application logs for unusual read or write activity that could indicate exploitation of the vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 04:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 05:00:00 +0000

Type Values Removed Values Added
Title JD Edwards EnterpriseOne Tools: Unauthenticated HTTP Access Enables Unauthorized Data Modification

Wed, 21 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.26.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Tools
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Tools
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Oracle Jd Edwards Enterpriseone Tools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-01-21T15:07:29.834Z

Reserved: 2026-01-05T18:07:34.712Z

Link: CVE-2026-21946

cve-icon Vulnrichment

Updated: 2026-01-21T15:07:17.455Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T22:15:57.500

Modified: 2026-01-29T20:48:16.090

Link: CVE-2026-21946

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:45:36Z

Weaknesses