Description
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker with network access via JDENET can compromise JD Edwards EnterpriseOne Tools, potentially taking full control of the system and accessing all data. The vulnerability allows the attacker to bypass authentication checks and gain full confidentiality, integrity, and availability impact, effectively allowing a total takeover of the application.

Affected Systems

The affected product is Oracle JD Edwards EnterpriseOne Tools for the Enterprise Infrastructure Security component. Versions from 9.2.0.0 to 9.2.26.2 are vulnerable.

Risk and Exploitability

The CVSS 3.1 base score is 9.8, indicating very high severity. The EPSS score is less than 1 %, suggesting that exploitation is currently expected to be rare, and the vulnerability is not yet listed in CISA's KEV catalog. Nevertheless, the attack vector is remote over the network and requires no credentials, making it attractive to attackers who have network reach to the JDENET interface. Any successful exploitation would grant the attacker unrestricted access to the JD Edwards environment.

Generated by OpenCVE AI on June 17, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch released in the June 2026 security alert to upgrade to a version newer than 9.2.26.2
  • Disable or restrict the JDENET interface to trusted hosts or change firewalls to block inbound JDENET traffic
  • Enable logging and monitor for anomalous activity on JDENET connections to detect potential exploitation attempts

Generated by OpenCVE AI on June 17, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Tools
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Tools
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Jd Edwards Enterpriseone Tools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T13:35:03.498Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46904

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T00:30:15Z

Weaknesses

No weakness.