Description
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data as well as unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).
Published: 2026-06-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the Web Runtime Security component of Oracle JD Edwards EnterpriseOne Tools allows an unauthenticated attacker with network access via HTTP to exploit the vulnerability. The flaw permits unauthorized disclosure of critical data and provides the attacker with the ability to insert, update, or delete data that the user does not have permission to modify. The weakness arises from a lack of authentication, improper authorization checks, and potential information disclosure, resulting in high impacts to confidentiality and moderate impacts to integrity. The vulnerability’s scope is changed, meaning it can also affect other JD Edwards products that share or interact with the compromised tool.

Affected Systems

Oracle JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.2 are affected. The flaw may also impact additional JD Edwards products that are connected to or share data with the affected tool.

Risk and Exploitability

The CVSS base score of 9.3 signals a critical vulnerability, while the EPSS score of less than 1% indicates a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. It is inferred that an attacker can exploit this weakness by sending crafted HTTP requests to the JD Edwards EnterpriseOne Tools web interface, gaining unauthorized access and modification rights because no authentication or privilege is required.

Generated by OpenCVE AI on June 18, 2026 at 21:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Follow Oracle’s guidance in the security alert to apply a patch or upgrade to a version newer than 9.2.26.2 that contains the Web Runtime Security fix.
  • Restrict HTTP access to the JD Edwards EnterpriseOne Tools instance to internal users only by configuring firewalls, VPNs, or a reverse proxy that requires authentication.
  • If the Web Runtime Security component is not essential, consult Oracle’s recommendations for safely disabling or removing the component while ensuring operational continuity.

Generated by OpenCVE AI on June 18, 2026 at 21:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title JD Edwards EnterpriseOne Tools: Unauthenticated HTTP Remote Access Leading to Unauthorized Data Modification

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title JD Edwards EnterpriseOne Tools: Unauthenticated HTTP Remote Access Leading to Unauthorized Data Modification
Weaknesses CWE-200
CWE-284
CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Tools accessible data as well as unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 9.3 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N).
First Time appeared Oracle
Oracle jd Edwards Enterpriseone Tools
CPEs cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle jd Edwards Enterpriseone Tools
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N'}


Subscriptions

Oracle Jd Edwards Enterpriseone Tools
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T13:53:22.584Z

Reserved: 2026-05-18T15:55:10.311Z

Link: CVE-2026-46912

cve-icon Vulnrichment

Updated: 2026-06-17T13:53:17.456Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:45:04Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control

  • CWE-306

    Missing Authentication for Critical Function