CVE-2026-46903 - Vulnerability Details

Description

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Business Logic Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Published: 2026-06-16

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Vulnerability in the Business Logic Infrastructure Security component of Oracle JD Edwards EnterpriseOne Tools allows an attacker who can access the system over HTTP and who is only a low‑privileged user to fully compromise the application. Successful exploitation leads to the takeover of JD Edwards EnterpriseOne Tools, giving the attacker complete confidentiality, integrity, and availability control of the affected system. The weakness is an instance of improper access control, allowing a request that should be restricted to be carried out by a low‑privileged actor.

Affected Systems

Oracle Corporation’s JD Edwards EnterpriseOne Tools are affected, specifically all supported versions from 9.2.0.0 through 9.2.26.2. No patch or workaround has been published by Oracle. The product provides enterprise resource planning functionality for business applications.

Risk and Exploitability

With a CVSS score of 8.8 it is considered high impact. The EPSS score of less than 1% indicates a low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is over the network via HTTP, requiring only low privileges and no user interaction, meaning that a remote attacker with access to the exposed HTTP interface can potentially leverage the flaw to compromise the entire JD Edwards EnterpriseOne Tools instance.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

JD Edwards EnterpriseOne Tools

affected

Version	Status	Constraints
`9.2.0.0`	affected	≤ 9.2.26.2

No data.

Vendor Product Confidence Versions

Oracle

Jd Edwards Enterpriseone Tools

95%

Version	Status	Scheme	Platform
`[9.2.0.0,9.2.26.2]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy the latest official patch or upgrade JD Edwards EnterpriseOne Tools to a version newer than 9.2.26.2 that contains the fix.
If a patch is unavailable, restrict HTTP access to JD Edwards EnterpriseOne Tools to trusted network segments or VPNs and remove unnecessary user accounts, ensuring that only properly authenticated and authorized users can reach the interface.
Monitor system logs for suspicious HTTP requests or failures to enforce access control, and investigate any anomalies promptly.

Generated by OpenCVE AI on June 17, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00447.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Business Logic Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared		Oracle Oracle jd Edwards Enterpriseone Tools
CPEs		cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools::::::::
Vendors & Products		Oracle Oracle jd Edwards Enterpriseone Tools
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Oracle Jd Edwards Enterpriseone Tools

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:48.020Z

Updated: 2026-06-17T13:42:40.455Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46903

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T00:30:15Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object