CVE-2026-46858 - Vulnerability Details

Description

Vulnerability in the APM - Application Performance Management product of Oracle Enterprise Manager (component: JADM, JVM Diagnostics). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise APM - Application Performance Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all APM - Application Performance Management accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of APM - Application Performance Management. CVSS 3.1 Base Score 9.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

Published: 2026-06-16

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the Oracle Application Performance Management (APM) product, specifically in the JADM and JVM Diagnostics components. An unauthenticated attacker who can reach the service via HTTP can create, delete, or modify critical data and can also cause the application to repeatedly crash. This leads to high integrity and availability impacts, allowing the attacker to alter or destroy data and disrupt service operations.

Affected Systems

The affected products are Oracle APM 13.5 and 24.1, part of Oracle Enterprise Manager. No other versions are listed as impacted.

Risk and Exploitability

With a CVSS score of 9.1 the vulnerability is considered critical. The EPSS score of less than 1% indicates that, as of the current data, exploit attempts observed globally are rare, but the low entry barrier and lack of authentication make it highly attractive for attackers. The attack vector is network-based via HTTP, and the vulnerability is not currently listed in the CISA KEV catalog.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

APM - Application Performance Management

affected

Version	Status	Constraints
`13.5`	affected	—
`24.1`	affected	—

No data.

Vendor Product Confidence Versions

Oracle

Apm - Application Performance Management

95%

Version	Status	Scheme	Platform
`13.5`	affected	generic	—
`24.1`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle APM patch for versions 13.5 and 24.1, which fixes the JADM/JVM Diagnostics flaw.
Disable or restrict anonymous access to the JADM interface and other diagnostic HTTP endpoints.
Configure firewall rules to allow APM traffic only from trusted management networks.

Generated by OpenCVE AI on June 17, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00473.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the APM - Application Performance Management product of Oracle Enterprise Manager (component: JADM, JVM Diagnostics). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise APM - Application Performance Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all APM - Application Performance Management accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of APM - Application Performance Management. CVSS 3.1 Base Score 9.1 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).
First Time appeared		Oracle Oracle apm - Application Performance Management
CPEs		cpe:2.3:a:oracle:apm_-_application_performance_management:13.5:::::::* cpe:2.3:a:oracle:apm_-_application_performance_management:24.1:::::::*
Vendors & Products		Oracle Oracle apm - Application Performance Management
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}`

Subscriptions

Oracle Apm - Application Performance Management

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:34.318Z

Updated: 2026-06-17T14:40:12.421Z

Reserved: 2026-05-18T15:55:10.307Z

Link: CVE-2026-46858

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T03:15:02Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object