Description
Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Database Upgrade). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Siebel CRM Deployment executes to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in takeover of Siebel CRM Deployment. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Siebel CRM Deployment product contains a flaw in its Database Upgrade component that permits an attacker who has logged on with a low‑privileged account on the server to change the privileges or configuration of the deployment. By exercising the upgrade functionality, the attacker can elevate privileges within the application, gaining full control. This results in the compromise of confidentiality, integrity, and availability of all data managed by Siebel CRM. The weakness manifests as insufficient access control (CWE-284), allowing the attacker to bypass normal authorization checks.

Affected Systems

Oracle Corporation’s Siebel CRM Deployment, versions 17.0 through 26.5, are affected. The vulnerability lies specifically in the Database Upgrade component of the deployment, and any build falling within that version range that includes this component is vulnerable. The impact extends to all deployments of the Siebel CRM product tree that rely on the mentioned upgrade process.

Risk and Exploitability

The flaw is rated CVSS 3.1 Base Score of 7.8, categorizing it as high severity. The EPSS score of less than 1% indicates that real-world exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. Because it requires local low‑privileged or administrative access to the host where Siebel CRM runs, it is a local attack vector and can be mitigated by restricting local account privileges. Successful exploitation would give an attacker complete control over application logic and data, creating a high risk scenario for organizations that rely on Siebel CRM.

Generated by OpenCVE AI on June 18, 2026 at 23:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Oracle Siebel CRM Deployment patch or upgrade to a newer release beyond version 26.5 as described in the vendor’s security advisory.
  • Restrict local accounts so that only users who must log on to the server for deployment or maintenance have logon rights, and revoke file‑system permissions for all other local accounts.
  • Audit and remove any unnecessary local accounts with logon rights to the infrastructure hosting Siebel CRM to enforce the principle of least privilege.

Generated by OpenCVE AI on June 18, 2026 at 23:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Database Upgrade in Oracle Siebel CRM Deployment

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Database Upgrade in Siebel CRM Deployment
Weaknesses CWE-269
CWE-640

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Local Privilege Escalation via Database Upgrade in Siebel CRM Deployment
Weaknesses CWE-269
CWE-640

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Database Upgrade). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Siebel CRM Deployment executes to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in takeover of Siebel CRM Deployment. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle siebel Crm Deployment
CPEs cpe:2.3:a:oracle:siebel_crm_deployment:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle siebel Crm Deployment
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Siebel Crm Deployment
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T14:21:50.235Z

Reserved: 2026-05-18T15:55:10.309Z

Link: CVE-2026-46888

cve-icon Vulnrichment

Updated: 2026-06-18T14:20:24.203Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:45:16Z

Weaknesses