Description
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Business Logic Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Vulnerability in the Business Logic Infrastructure Security component of Oracle JD Edwards EnterpriseOne Tools allows an attacker who can access the system over HTTP and who is only a low‑privileged user to fully compromise the application. Successful exploitation leads to the takeover of JD Edwards EnterpriseOne Tools, giving the attacker complete confidentiality, integrity, and availability control of the affected system. The weakness is an instance of improper access control, allowing a request that should be restricted to be carried out by a low‑privileged actor.

Affected Systems

Oracle Corporation’s JD Edwards EnterpriseOne Tools are affected, specifically all supported versions from 9.2.0.0 through 9.2.26.2. No patch or workaround has been published by Oracle. The product provides enterprise resource planning functionality for business applications.

Risk and Exploitability

With a CVSS score of 8.8 it is considered high impact. The EPSS score of less than 1% indicates a low probability of current exploitation, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is over the network via HTTP, requiring only low privileges and no user interaction, meaning that a remote attacker with access to the exposed HTTP interface can potentially leverage the flaw to compromise the entire JD Edwards EnterpriseOne Tools instance.

Generated by OpenCVE AI on June 18, 2026 at 23:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest official patch or upgrade JD Edwards EnterpriseOne Tools to a version newer than 9.2.26.2 that contains the fix.
  • If a patch is unavailable, restrict HTTP access to JD Edwards EnterpriseOne Tools to trusted network segments or VPNs and remove unnecessary user accounts, ensuring that only properly authenticated and authorized users can reach the interface.
  • Monitor system logs for suspicious HTTP requests or failures to enforce access control, and investigate any anomalies promptly.

Generated by OpenCVE AI on June 18, 2026 at 23:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Title Remote HTTP Access Control Bypass in Oracle JD Edwards EnterpriseOne Tools

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title JD Edwards EnterpriseOne Tools Remote System Compromise via HTTP by Low‑Privilege Attacker
Weaknesses CWE-284

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title JD Edwards EnterpriseOne Tools Remote System Compromise via HTTP by Low‑Privilege Attacker
Weaknesses CWE-269
CWE-284
CWE-287
CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Business Logic Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Tools
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Tools
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Jd Edwards Enterpriseone Tools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:27.862Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46903

cve-icon Vulnrichment

Updated: 2026-06-17T13:42:29.833Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:45:16Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-287

    Improper Authentication

  • CWE-306

    Missing Authentication for Critical Function