Description
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Web Runtime Security component of Oracle JD Edwards EnterpriseOne Tools, where an unauthenticated attacker who can reach the service over HTTP can exploit a flaw to execute arbitrary code. The flaw results in a full compromise of the JD Edwards EnterpriseOne Tools application, leading to loss of confidentiality, integrity, and availability of the underlying business data.

Affected Systems

This flaw affects Oracle JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.2. Any deployment of these product releases is at risk, regardless of the operating system or database platform, because the vulnerability exists in the web runtime layer of the tools.

Risk and Exploitability

The CVSS 3.1 base score of 9.8 indicates critical severity, and the available EPSS score of <1% suggests that, so far, exploitation attempts have been rare. The flaw can be exploited from any networked host without prior authentication, making it easily reachable by attackers with HTTP access to the JD Edwards instance. Although the vulnerability has not yet been listed in the CISA KEV catalog, its impact warrants immediate attention.

Generated by OpenCVE AI on June 17, 2026 at 19:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle security update that addresses this Web Runtime Security issue to versions beyond 9.2.26.2.
  • Restrict HTTP access to the JD Edwards EnterpriseOne Tools environment to trusted IP ranges and enforce TLS to prevent eavesdropping and man‑in‑the‑middle attacks.
  • Enable auditing and monitor for suspicious authentication or privilege escalation activity on the tools platform.

Generated by OpenCVE AI on June 17, 2026 at 19:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Tools
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Tools
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Jd Edwards Enterpriseone Tools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T13:44:32.625Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46905

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T04:30:03Z

Weaknesses

No weakness.