Description
Vulnerability in the JD Edwards EnterpriseOne Human Resources Management product of Oracle JD Edwards (component: Human Resources). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Human Resources Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Human Resources Management accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Human Resources Management accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Published: 2026-06-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in JD Edwards EnterpriseOne Human Resources Management (version 9.2) permits an unauthenticated attacker to create, delete, or modify data, or to read sensitive information without permission. The vulnerability is tied to weaknesses in authentication and authorization controls, as identified by CWE-284 and CWE-306. The impact includes loss of data integrity and confidentiality for all HR data accessible via the product.

Affected Systems

Oracle Corporation’s JD Edwards EnterpriseOne Human Resources Management version 9.2 is the only product affected. Users running this edition expose HR data to parties with network connectivity to the HTTP interface.

Risk and Exploitability

The CVSS v3.1 base score of 9.1 classifies the vulnerability as critical, with immediate impact on confidentiality and integrity. However, the EPSS score is less than 1%, indicating a very low, though nonzero, likelihood of exploitation today. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this weakness over the network via HTTP without authentication, implying that any system exposed to the public or untrusted network segments faces significant risk.

Generated by OpenCVE AI on June 18, 2026 at 12:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and apply the Oracle official security patch for JD Edwards EnterpriseOne Human Resources Management 9.2 as indicated in the Oracle security alert.
  • Restrict network exposure of the HR application by configuring firewall rules or network segmentation to allow HTTP access only from trusted IP ranges until the patch is deployed.
  • Verify that authentication and role‑based access controls are correctly configured and enable audit logging to monitor for unauthorized activity.

Generated by OpenCVE AI on June 18, 2026 at 12:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Access Leading to Data Manipulation in JD Edwards EnterpriseOne Human Resources Management

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Human Resources Management product of Oracle JD Edwards (component: Human Resources). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Human Resources Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Human Resources Management accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Human Resources Management accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Human Resources Management
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_human_resources_management:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Human Resources Management
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}


Subscriptions

Oracle Jd Edwards Enterpriseone Human Resources Management
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:07.197Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46892

cve-icon Vulnrichment

Updated: 2026-06-17T13:06:54.636Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:04:46Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-306

    Missing Authentication for Critical Function