Description
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Web Runtime Security component of Oracle JD Edwards EnterpriseOne Tools, where an unauthenticated attacker who can reach the service over HTTP can exploit a flaw to execute arbitrary code. The flaw results in a full compromise of the JD Edwards EnterpriseOne Tools application, leading to loss of confidentiality, integrity, and availability of the underlying business data.

Affected Systems

This flaw affects Oracle JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.2. Any deployment of these product releases is at risk, regardless of the operating system or database platform, because the vulnerability exists in the web runtime layer of the tools.

Risk and Exploitability

The CVSS 3.1 base score of 9.8 indicates critical severity, and the available EPSS score of <1% suggests that, so far, exploitation attempts have been rare. The flaw can be exploited from any networked host without prior authentication, making it easily reachable by attackers with HTTP access to the JD Edwards instance. Although the vulnerability has not yet been listed in the CISA KEV catalog, its impact warrants immediate attention.

Generated by OpenCVE AI on June 18, 2026 at 23:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle security update that addresses this Web Runtime Security issue to versions beyond 9.2.26.2.
  • Restrict HTTP access to the JD Edwards EnterpriseOne Tools environment to trusted IP ranges and enforce TLS to prevent eavesdropping and man-in-the-middle attacks.
  • Enable auditing and monitor for suspicious authentication or privilege escalation activity on the tools platform.

Generated by OpenCVE AI on June 18, 2026 at 23:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Remote Code Execution in Oracle JD Edwards EnterpriseOne Tools Web Runtime Security

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title JD Edwards EnterpriseOne Tools Unauthenticated Remote Code Execution via Web Runtime Security
Weaknesses CWE-284
CWE-287

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title JD Edwards EnterpriseOne Tools Unauthenticated Remote Code Execution via Web Runtime Security
Weaknesses CWE-284
CWE-287
CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Tools
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Tools
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Jd Edwards Enterpriseone Tools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:31.664Z

Reserved: 2026-05-18T15:55:10.310Z

Link: CVE-2026-46905

cve-icon Vulnrichment

Updated: 2026-06-17T13:44:26.068Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:45:16Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function