Description
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Enterprise Infrastructure Security component of Oracle JD Edwards EnterpriseOne Tools. An unauthenticated attacker with network access via JDENET can bypass normal authentication, allowing the attacker to compromise the application and ultimately take full control of JD Edwards EnterpriseOne Tools.

Affected Systems

Oracle JD Edwards EnterpriseOne Tools, versions 9.2.0.0 through 9.2.26.2, are affected. Systems that expose the JDENET interface to unauthenticated attackers are at risk; environments without JDENET connectivity are not impacted.

Risk and Exploitability

The flaw bears a CVSS v3.1 score of 9.8, indicating critical severity with full confidentiality, integrity and availability impacts. The EPSS score is below 1%, showing low historical exploitation frequency. The vulnerability is not listed in the CISA KEV catalog. Successful exploitation requires only remote network access to the JDENET service and does not need credentials, enabling an attacker to assume full control of JD Edwards EnterpriseOne Tools.

Generated by OpenCVE AI on June 18, 2026 at 23:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch for JD Edwards EnterpriseOne Tools as soon as it is released.
  • Limit JDENET access to trusted internal hosts or disable JDENET if not required.
  • Segregate and monitor JDENET traffic using network segmentation and logging.

Generated by OpenCVE AI on June 18, 2026 at 23:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Network Exploit Enables Full Control of Oracle JD Edwards EnterpriseOne Tools via JDENET

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated JDENET Access Enables Full Control of JD Edwards EnterpriseOne Tools
Weaknesses CWE-287
CWE-306

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated JDENET Access Enables Full Control of JD Edwards EnterpriseOne Tools
Weaknesses CWE-284
CWE-287
CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Tools
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Tools
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Jd Edwards Enterpriseone Tools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:56:53.437Z

Reserved: 2026-05-18T15:55:10.309Z

Link: CVE-2026-46880

cve-icon Vulnrichment

Updated: 2026-06-17T15:20:54.488Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:45:16Z

Weaknesses