Description
Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Cloud Applications. Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Siebel Cloud Manager component of Oracle Siebel CRM Cloud Applications. An unauthenticated attacker with network access via HTTP can exploit this flaw to gain full control, compromising confidentiality, integrity, and availability. The weakness is a combination of authentication bypass (CWE‑287), improper access control enforcement (CWE‑284), and missing authorization checks (CWE‑306), allowing arbitrary code execution on the host.

Affected Systems

Oracle Siebel CRM Cloud Applications, versions 17.0 through 26.5, are affected.

Risk and Exploitability

The CVSS base score of 9.8 classifies this as a critical vulnerability, though the EPSS score of less than 1% indicates a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. Attackers would likely target the exposed HTTP endpoint of Siebel Cloud Manager, which provides no authentication and therefore permits the vulnerable operation to be performed from any network location.

Generated by OpenCVE AI on June 18, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Siebel CRM Cloud Applications to a version newer than 26.5
  • If a patch is not yet available, restrict network access to the Siebel Cloud Manager interface to trusted IP addresses or VPN only
  • Implement a web application firewall to block suspicious HTTP requests to the affected component
  • Enforce strong authentication and disable legacy authentication methods if possible

Generated by OpenCVE AI on June 18, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via Siebel Cloud Manager HTTP Interface

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Code Execution via Siebel Cloud Manager HTTP Interface
Weaknesses CWE-284
CWE-287
CWE-306
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Cloud Applications. Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle siebel Crm Cloud Applications
CPEs cpe:2.3:a:oracle:siebel_crm_cloud_applications:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle siebel Crm Cloud Applications
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Siebel Crm Cloud Applications
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T03:57:50.026Z

Reserved: 2026-05-18T15:55:10.311Z

Link: CVE-2026-46919

cve-icon Vulnrichment

Updated: 2026-06-17T13:58:35.075Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:45:00Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-287

    Improper Authentication

  • CWE-306

    Missing Authentication for Critical Function