Description
Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM (component: EAI). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel CRM Integration. Successful attacks of this vulnerability can result in takeover of Siebel CRM Integration. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability enables a low‑privileged attacker who can reach the Siebel CRM Integration component over HTTP to fully compromise the system, thereby gaining uncontrolled access to the application, data, and services it manages. The CVSS vector indicates network‑based exploitation with low attack complexity and no user interaction, resulting in confidentiality, integrity, and availability impacts. Successful exploitation effectively transfers ownership of the integration component to the attacker.

Affected Systems

Oracle Corporation’s Siebel CRM Integration (EAI component) versions 17.0 through 26.5 are affected. Affected hosts are those exposing the HTTP interface of the integration service.

Risk and Exploitability

The vulnerability carries a CVSS base score of 8.8, indicating high severity. EPSS is reported as less than 1 %, a very low exploitation probability, and it is not listed in CISA’s KEV catalog. Nevertheless, because the attacker only needs network access and low privileges, the potential for a fast, automated compromise remains considerable. The likely attack vector is an unauthenticated or minimally authenticated HTTP request that leverages a defect in the integration’s access control or input handling logic to gain administrative control of the component.

Generated by OpenCVE AI on June 19, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle security patch released for CVE‑2026‑46885 as outlined in the referenced advisory
  • Restrict network access to the Siebel CRM Integration HTTP endpoint to trusted hosts or internal networks only
  • If a patch is unavailable, disable public exposure of the HTTP service or enforce strict firewall and authentication controls to block unauthorized requests

Generated by OpenCVE AI on June 19, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Title Severe Low-Privilege HTTP Exploit in Siebel CRM Integration

Thu, 18 Jun 2026 22:15:00 +0000

Type Values Removed Values Added
Title Low-Privilege Remote Exploitation in Oracle Siebel CRM Integration via HTTP
Weaknesses CWE-284

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Low-Privilege Remote Exploitation in Oracle Siebel CRM Integration via HTTP
Weaknesses CWE-269
CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Siebel CRM Integration product of Oracle Siebel CRM (component: EAI). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel CRM Integration. Successful attacks of this vulnerability can result in takeover of Siebel CRM Integration. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle siebel Crm Integration
CPEs cpe:2.3:a:oracle:siebel_crm_integration:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle siebel Crm Integration
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Siebel Crm Integration
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:56:58.882Z

Reserved: 2026-05-18T15:55:10.309Z

Link: CVE-2026-46885

cve-icon Vulnrichment

Updated: 2026-06-17T15:43:09.073Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:48Z

Weaknesses
  • CWE-269

    Improper Privilege Management