CVE-2026-46855 - Vulnerability Details

Description

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Published: 2026-06-16

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in the Metadata Plugin component of Oracle Enterprise Manager Base Platform. The flaw is easily exploitable by an attacker with low privileges and network reach via HTTPS. Once successfully exploited, the attacker can achieve full compromise of the platform, leading to total loss of confidentiality, integrity, and availability. The attack requires only standard HTTPS communication and does not require elevated permissions, making the threat surface wide. The vulnerability’s CVSS score of 9.9 indicates a critical severity.

Affected Systems

Oracle Enterprise Manager Base Platform from Oracle Corporation is affected. The vulnerability impacts supported releases 13.5 and 24.1. Only these versions have been confirmed to be vulnerable; newer or older builds are not listed as affected.

Risk and Exploitability

The CVSS score of 9.9 combined with the low privilege requirement indicates a very high exploitation risk. However, the EPSS score of fewer than 1% suggests that exploitation attempts are currently rare, and the issue is not recorded in the CISA KEV catalog. The likely attack vector is over HTTPS, where a crafted request to the Metadata Plugin triggers the compromise and triggers a scope change, elevating low‑privileged access to full control of the system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Enterprise Manager Base Platform

affected

Version	Status	Constraints
`13.5`	affected	—
`24.1`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Enterprise Manager Base Platform

95%

Version	Status	Scheme	Platform
`13.5`	affected	generic	—
`24.1`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑issued patch or upgrade to a non‑affected release of Oracle Enterprise Manager Base Platform (13.5 or 24.1).
Limit external HTTPS access to the Oracle Enterprise Manager Base Platform instance by implementing network segmentation or firewall rules so that only trusted administrators can reach it.
Configure the Metadata Plugin to enforce strict access control, ensuring that only authenticated users with sufficient privileges can interact with it; consider disabling the plugin if it is not required.

Generated by OpenCVE AI on June 17, 2026 at 20:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00479.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle enterprise Manager Base Platform
CPEs		cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5:::::::* cpe:2.3:a:oracle:enterprise_manager_base_platform:24.1:::::::*
Vendors & Products		Oracle Oracle enterprise Manager Base Platform
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Enterprise Manager Base Platform

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:33.381Z

Updated: 2026-06-17T14:23:44.208Z

Reserved: 2026-05-18T15:55:10.307Z

Link: CVE-2026-46855

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-16T23:15:16Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object