Description
Vulnerability in the JD Edwards EnterpriseOne Accounts Payable product of Oracle JD Edwards (component: Accounts Payable). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Accounts Payable. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Accounts Payable accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Accounts Payable accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Accounts Payable component of Oracle JD Edwards EnterpriseOne allows a low‑privileged attacker who can reach the application over HTTP to create, delete, or modify critical data. The weakness, identified as an access‑control bypass, results in high confidentiality and integrity impact, enabling an attacker to access or alter all Accounts Payable data that the application exposes.

Affected Systems

The vulnerability affects Oracle Corporation’s JD Edwards EnterpriseOne Accounts Payable, specifically version 9.2. No other product or version information is supplied.

Risk and Exploitability

The CVSS 3.1 base score of 8.1 places the flaw in the high severity range. The EPSS score is below 1 %, indicating a low exploitation probability, and the flaw is not listed in CISA’s KEV catalog. The attack vector is network‑based over HTTP, with only low privilege required; successful exploitation would grant an attacker unauthorized data access and modification capabilities.

Generated by OpenCVE AI on June 18, 2026 at 14:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest security patch for JD Edwards EnterpriseOne Accounts Payable from Oracle
  • Restrict HTTP exposure of the application to trusted networks and enforce strong authentication and role‑based access control
  • Monitor logs for unexpected account creation, deletion, or modification activity

Generated by OpenCVE AI on June 18, 2026 at 14:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title JD Edwards EnterpriseOne Accounts Payable Unauthorized Access via HTTP

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Accounts Payable product of Oracle JD Edwards (component: Accounts Payable). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Accounts Payable. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Accounts Payable accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Accounts Payable accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Accounts Payable
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_accounts_payable:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Accounts Payable
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

Oracle Jd Edwards Enterpriseone Accounts Payable
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:06.100Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46891

cve-icon Vulnrichment

Updated: 2026-06-17T13:07:39.749Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:45:04Z

Weaknesses