CVE-2026-46906 - Vulnerability Details

Description

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Tools accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

Published: 2026-06-16

Score: 9.6 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in Oracle JD Edwards EnterpriseOne Tools allows a low‑privileged network attacker to create, delete, or modify critical data without user interaction. It exposes entire datasets to unauthorized users, compromising confidentiality and integrity of all accessible information. The high CVSS score reflects significant impact on data integrity and confidentiality, with no effect on availability.

Affected Systems

Oracle JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.2 are affected. These versions belong to the JD Edwards EnterpriseOne Tools product line from Oracle Corporation.

Risk and Exploitability

A network attacker can exploit the flaw over HTTP with low effort, no credentials, and without user interaction. The CVSS score of 9.6 indicates critical severity, while the EPSS score of less than 1% suggests low current exploitation probability. The vulnerability is not listed in CISA KEV, but the scope change can affect additional products within the JD Edwards suite.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

JD Edwards EnterpriseOne Tools

affected

Version	Status	Constraints
`9.2.0.0`	affected	≤ 9.2.26.2

No data.

Vendor Product Confidence Versions

Oracle

Jd Edwards Enterpriseone Tools

95%

Version	Status	Scheme	Platform
`[9.2.0.0,9.2.26.2]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Oracle security update for JD Edwards EnterpriseOne Tools that addresses this vulnerability
Restrict HTTP access to the JD Edwards EnterpriseOne Tools server to trusted internal networks or secure VPNs
Enforce strict access control policies to ensure only authorized users can create, delete, or modify critical data

Generated by OpenCVE AI on June 17, 2026 at 19:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00365.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Tools accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
First Time appeared		Oracle Oracle jd Edwards Enterpriseone Tools
CPEs		cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools::::::::
Vendors & Products		Oracle Oracle jd Edwards Enterpriseone Tools
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}`

Subscriptions

Oracle Jd Edwards Enterpriseone Tools

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:48.945Z

Updated: 2026-06-17T13:45:53.804Z

Reserved: 2026-05-18T15:55:10.311Z

Link: CVE-2026-46906

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T04:00:02Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object