Description
Vulnerability in the JD Edwards EnterpriseOne General Ledger product of Oracle JD Edwards (component: E1 Foundation). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via SMB to compromise JD Edwards EnterpriseOne General Ledger. While the vulnerability is in JD Edwards EnterpriseOne General Ledger, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne General Ledger. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the E1 Foundation component of JD Edwards EnterpriseOne General Ledger, enabling an attacker with low privileges and network access via SMB to compromise the system. The flaw permits full control over the application, resulting in a loss of confidentiality, integrity, and availability. The weakness is identified as CWE‑269, reflecting an improper authorization or privilege escalation scenario.

Affected Systems

The affected product is Oracle JD Edwards EnterpriseOne General Ledger, version 9.2. Only this release is known to contain the vulnerability; no other versions are listed as impacted.

Risk and Exploitability

The CVSS base score of 9.9 indicates critical severity, with a low attack complexity but requiring local or network SMB access. The EPSS score of less than 1 % suggests a low probability of exploitation at the time of analysis, and the vulnerability is not currently listed in the CISA KEV catalog. However, the scope change noted in the description means that successful exploitation could also impact additional Oracle products.

Generated by OpenCVE AI on June 18, 2026 at 12:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch or upgrade to a version of JD Edwards EnterpriseOne General Ledger that contains the fix referenced in Oracle's security alert.
  • Restrict or disable SMB access to the JD Edwards servers, limiting connectivity to trusted hosts and network segments only.
  • Implement monitoring of SMB traffic and audit logs for anomalous activity that could indicate exploitation attempts.

Generated by OpenCVE AI on June 18, 2026 at 12:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Low-Privilege Remote Takeover via SMB in JD Edwards EnterpriseOne General Ledger

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne General Ledger product of Oracle JD Edwards (component: E1 Foundation). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via SMB to compromise JD Edwards EnterpriseOne General Ledger. While the vulnerability is in JD Edwards EnterpriseOne General Ledger, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne General Ledger. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone General Ledger
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_general_ledger:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone General Ledger
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Oracle Jd Edwards Enterpriseone General Ledger
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:08.280Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46893

cve-icon Vulnrichment

Updated: 2026-06-17T13:06:03.018Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:45:02Z

Weaknesses
  • CWE-269

    Improper Privilege Management