Description
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the Enterprise Infrastructure Security component of Oracle JD Edwards EnterpriseOne Tools, specifically affecting versions 9.2.0.0 through 9.2.26.2. An unauthenticated attacker who can reach the JDENET service on the target network can exploit this weakness to bypass any authentication checks and gain full control of the tools. The vulnerability classifies as an improper access control issue (CWE‑284) and, when successfully leveraged, results in complete loss of confidentiality, integrity, and availability for the affected application.

Affected Systems

Oracle JD Edwards EnterpriseOne Tools, versions 9.2.0.0 to 9.2.26.2, deployed by Oracle Corporation.

Risk and Exploitability

The CVSS v3.1 base score of 9.8 marks the vulnerability as critical. The EPSS score of less than 1% suggests a low current wild‑world exploitation probability, yet the vulnerability is not listed in the CISA KEV catalog. Exploitation requires only network access to the JDENET port, no user credentials, and it can be performed remotely from any host that can reach the service. Successful exploitation grants an attacker full system takeover of the JD Edwards EnterpriseOne Tools.

Generated by OpenCVE AI on June 19, 2026 at 00:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Oracle’s security patch that addresses the improper access control flaw (CWE‑284) for JD Edwards EnterpriseOne Tools.
  • Configure JDENET to enforce strong authentication and role‑based authorization, disabling anonymous or unauthenticated connections.
  • Block incoming JDENET traffic at the network perimeter using firewall or VPN restrictions to limit access to trusted sources.

Generated by OpenCVE AI on June 19, 2026 at 00:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:45:00 +0000

Type Values Removed Values Added
Title JD Edwards EnterpriseOne Tools Unauthenticated JDENET Access Enables Remote Takeover

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated RCE via JDENET in Oracle JD Edwards EnterpriseOne Tools
Weaknesses CWE-94

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated RCE via JDENET in Oracle JD Edwards EnterpriseOne Tools
Weaknesses CWE-284
CWE-94
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Tools
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Tools
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Jd Edwards Enterpriseone Tools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:56:51.253Z

Reserved: 2026-05-18T15:55:10.309Z

Link: CVE-2026-46878

cve-icon Vulnrichment

Updated: 2026-06-17T15:17:41.408Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:45:04Z

Weaknesses