Description
Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).
Published: 2026-06-16
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Oracle Enterprise Command Center Framework vulnerability enables a remote attacker who can reach the HTTP endpoints to create, delete, modify, or read critical data, as well as partially disrupt service. The flaw stems from improper privilege and access controls (CWE‑269 and CWE‑284), allowing the attacker to bypass authorization checks and manipulate sensitive information. The impact extends across confidentiality, integrity, and availability, potentially affecting the entire framework and related database tables.

Affected Systems

Oracle Enterprise Command Center Framework versions 15 and 16, part of Oracle E‑Business Suite, are affected. Any environment exposing these versions over HTTP is vulnerable, regardless of operating system or infrastructure.

Risk and Exploitability

The CVSS 3.1 base score of 9.9 reflects high severity, while the EPSS score of less than 1 % indicates a low probability of widespread exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via unauthenticated HTTP access, requiring no user interaction; this inference is based on the description’s mention of “network access via HTTP” and “low privileged attacker.” Successful exploitation can lead to unauthorized data manipulation, exposure, and partial denial of service, with a scope change that may affect additional Oracle products.

Generated by OpenCVE AI on June 19, 2026 at 00:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle Enterprise Command Center Framework patch or upgrade to a version that contains the fix as announced in the Oracle security alert.
  • Restrict HTTP access by installing a firewall or placing the framework behind a VPN so that only trusted hosts or internal networks can reach it.
  • Enforce strict role‑based access controls and remove low‑privileged accounts that can reach the framework’s HTTP endpoints, addressing the underlying privilege escalation and access control weaknesses.

Generated by OpenCVE AI on June 19, 2026 at 00:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Low‑Privileged HTTP Attack Compromises Oracle Enterprise Command Center Framework
Weaknesses CWE-200
CWE-285

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Low‑Privileged HTTP Attack Compromises Oracle Enterprise Command Center Framework
Weaknesses CWE-200
CWE-269
CWE-284
CWE-285
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).
First Time appeared Oracle
Oracle enterprise Command Center Framework
CPEs cpe:2.3:a:oracle:enterprise_command_center_framework:v15:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_command_center_framework:v16:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle enterprise Command Center Framework
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L'}


Subscriptions

Oracle Enterprise Command Center Framework
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:24.457Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46901

cve-icon Vulnrichment

Updated: 2026-06-17T13:39:32.378Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:15:03Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-284

    Improper Access Control