Description
Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
Published: 2026-06-16
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows a low‑privileged attacker with network access over HTTP to create, delete or the framework can see. These actions can compromise confidentiality and integrity of the business information handled by Oracle Enterprise Command Center Framework. This flaw corresponds to Improper Access Control (CWE-284) and Missing Authorization (CWE-269), underpinning the unauthorized data modifications.

Affected Systems

Oracle Enterprise Command Center Framework versions 15 and 16 are affected. These versions are part of Oracle E‑Business Suite and form the Core component of the framework.

Risk and Exploitability

The CVSS v3.1 score is 9.6, indicating a high severity flaw with Confidentiality and Integrity impacts. The EPSS score is less than 1%, signifying a very low but non‑zero probability of exploitation at the time of analysis. The vulnerability is not yet listed in the CISA KEV catalogue. The attack vector is inferred to be network based, accessed via HTTP, and requires only local privileges on the network. Successful exploitation can lead to broad changes to critical data and potentially expose all framework‑accessible information.

Generated by OpenCVE AI on June 18, 2026 at 12:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Patch Oracle Enterprise Command Center Framework to the latest available version or apply the vendor’s security patch as soon as it becomes available.
  • Restrict HTTP access to the framework using firewall rules or network segmentation so that only authorized systems can reach it.
  • Enforce least‑privilege access controls for all users who interact with the framework to limit the impact of any credentials that may be compromised.

Generated by OpenCVE AI on June 18, 2026 at 12:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Privilege Escalation and Data Modification via Unauthorized HTTP Access in Oracle Enterprise Command Center Framework

Wed, 17 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
First Time appeared Oracle
Oracle enterprise Command Center Framework
CPEs cpe:2.3:a:oracle:enterprise_command_center_framework:v15:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_command_center_framework:v16:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle enterprise Command Center Framework
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}


Subscriptions

Oracle Enterprise Command Center Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:20.979Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46899

cve-icon Vulnrichment

Updated: 2026-06-17T13:10:20.937Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:00:16Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-284

    Improper Access Control