Description
Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Database Upgrade). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Siebel CRM Deployment executes to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in takeover of Siebel CRM Deployment. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Database Upgrade component of Oracle Siebel CRM Deployment and allows an attacker who has only low‑privileged local access to the hosting infrastructure to compromise the application. The flaw appears to involve improper privilege handling, as suggested by the CVSS vector AV:L/PR:L and the impact escalation to full control of the deployment, resulting in loss of confidentiality, integrity, and availability. The description explicitly states that successful exploitation can lead to takeover of Siebel CRM Deployment.

Affected Systems

Oracle Siebel CRM Deployment versions 17.0 through 26.5 are affected. All builds of this product that fall under the Oracle Siebel CRM umbrella are vulnerable, as outlined in the vendor’s security advisory.

Risk and Exploitability

The CVSS score of 7.8 denotes a high‑severity flaw, yet the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. It is a local attack, requiring the adversary to log on to the infrastructure where Siebel CRM Deployment runs before attempting to manipulate the upgrade component. No additional user interaction is required once local access is established.

Generated by OpenCVE AI on June 17, 2026 at 20:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle Siebel CRM Deployment patch or upgrade to a release newer than 26.5 that contains the fix as detailed in Oracle’s security advisory
  • Restrict local accounts so that only those with explicit need have logon rights to the directories and services used by Siebel CRM Deployment, revoking file‑system permissions for other users
  • Audit and eliminate unnecessary local accounts that have logon rights to the infrastructure hosting the deployment to enforce the principle of least privilege

Generated by OpenCVE AI on June 17, 2026 at 20:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Database Upgrade). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Siebel CRM Deployment executes to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in takeover of Siebel CRM Deployment. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle siebel Crm Deployment
CPEs cpe:2.3:a:oracle:siebel_crm_deployment:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle siebel Crm Deployment
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Siebel Crm Deployment
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-16T19:27:43.420Z

Reserved: 2026-05-18T15:55:10.309Z

Link: CVE-2026-46888

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T00:45:04Z

Weaknesses

No weakness.