Description
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Oracle's JD Edwards EnterpriseOne Tools enables an unauthenticated attacker with network connectivity over the JDENET interface to take full control of the tools component, leading to a complete takeover. The flaw directly undermines confidentiality, integrity, and availability, earning a CVSS 3.1 base score of 9.8 and falling under the CWE-284 and CWE-306 weak points related to improper access control and missing authentication.

Affected Systems

The affected product is Oracle Corporation’s JD Edwards EnterpriseOne Tools, specifically versions 9.2.0.0 through 9.2.26.2. These releases provide the Enterprise Infrastructure Security component that is vulnerable to the described authentication bypass and subsequent takeover.

Risk and Exploitability

The CVSS score indicates a critical severity, and although the EPSS score is below 1%, the lack of a KEV listing does not diminish the urgency; the flaw can be exploited remotely by any entity able to reach JDENET from the network. The vulnerability’s unauthenticated nature and the local network path make it potentially easy to trigger for a motivated attacker, warranting prompt remediation.

Generated by OpenCVE AI on June 17, 2026 at 19:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle‑recommended security patch for JD Edwards EnterpriseOne Tools versions 9.2.0.0–9.2.26.2 as detailed in the Oracle security alert
  • Restrict network access to JDENET so that only trusted IP addresses can communicate with JD Edwards EnterpriseOne Tools
  • Configure firewall rules or intrusion detection systems to block unauthorized JDENET traffic to the JD Edwards servers

Generated by OpenCVE AI on June 17, 2026 at 19:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Tools
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Tools
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Jd Edwards Enterpriseone Tools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T15:20:03.821Z

Reserved: 2026-05-18T15:55:10.309Z

Link: CVE-2026-46879

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T01:00:15Z

Weaknesses

No weakness.