Description
Vulnerability in the JD Edwards EnterpriseOne Project Costing product of Oracle JD Edwards (component: Job Costing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Project Costing. While the vulnerability is in JD Edwards EnterpriseOne Project Costing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Project Costing accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Project Costing accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
Published: 2026-06-16
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Job Costing component of Oracle JD Edwards EnterpriseOne Project Costing. An attacker with low privileges who can reach the JDENET network interface can exploit the flaw to create, delete, or modify critical data, or gain unauthorized access to all data accessible through the project costing module. The flaw allows full confidentiality and integrity compromise of the data but does not affect availability.

Affected Systems

Oracle JD Edwards EnterpriseOne Project Costing, version 9.2.

Risk and Exploitability

The CVSS v3.1 base score of 9.6 indicates a critical severity. The low EPSS value suggests that the vulnerability is not widely exploited yet, and it is not listed in the CISA KEV catalog. However, because the attack vector is a local network service (JDENET) and only low privileges are required, an attacker who can reach the JDENET endpoint can easily gain significant access. The scope change indicates that a successful exploitation in JD Edwards EnterpriseOne Project Costing may extend to other JD Edwards products, amplifying the potential impact.

Generated by OpenCVE AI on June 17, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JD Edwards EnterpriseOne Project Costing to the latest patch level that resolves the JDENET access control issue.
  • Limit JDENET connectivity to trusted hosts or VLANs, applying network segmentation to reduce the attack surface.
  • Implement strict access control and monitoring on the JDENET interface to detect and prevent unauthorized job costing operations.
  • If a patch release is not yet available, temporarily restrict JDENET job costing functionality to users with the highest required privileges, or disable JDENET access entirely for non-essential roles.

Generated by OpenCVE AI on June 17, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Low-Privilege JDENET User Can Gain Unrestricted Data Access in JD Edwards EnterpriseOne Project Costing
Weaknesses CWE-284
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Project Costing product of Oracle JD Edwards (component: Job Costing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Project Costing. While the vulnerability is in JD Edwards EnterpriseOne Project Costing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Project Costing accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Project Costing accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Project Costing
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_project_costing:9.2:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Project Costing
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N'}


Subscriptions

Oracle Jd Edwards Enterpriseone Project Costing
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:40.982Z

Reserved: 2026-05-18T15:55:10.311Z

Link: CVE-2026-46911

cve-icon Vulnrichment

Updated: 2026-06-17T13:54:10.312Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:45:01Z

Weaknesses