CVE-2026-46852: Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin)
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical remote code execution and full-takeover vulnerability exists in the Metadata Plugin component of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1. The flaw is reachable over HTTPS from any network location by an attacker holding any low-privilege account, with no further user interaction required; the CVSS scope-change indicator means a successful attack can break out of the affected component and compromise additional products in the environment. Successful exploitation gives an attacker full control over the platform, including read, write, and denial-of-service capabilities. No fix version has been published yet; HarborGuard is tracking this advisory and will surface a patched-image rebuild the moment Oracle releases one.
HarborGuard Coverage
Detection for CVE-2026-46852 is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD advisory feeds within minutes of publication and matched against all customer images, including custom-built images that layer Oracle Enterprise Manager components. Scanning coverage applies to both registry scans and CI/CD pipeline checks, so any image carrying an affected version of Oracle Enterprise Manager Base Platform (13.5 or 24.1) is flagged automatically.
AvailableHarborGuard is capable of scoring this finding at its published CVSS 3.1 rating of 9.9 (Critical) and weighting it further against each customer environment's compliance policy, which may escalate or suppress routing based on workload classification. Triage routing is available to direct the alert to the appropriate team inbox within each organization based on image ownership and environment tagging.
AvailableNo upstream fix version has been published for CVE-2026-46852 as of the publication date. HarborGuard re-evaluates the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle ships a corrective release; customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the Oracle Enterprise Manager HTTPS endpoint over a network connection; no physical or local access is needed.
- AuthenticationRequired
The attacker must hold a valid low-privilege account on the platform; anonymous access is not sufficient, but no administrative rights are needed.
- Victim interactionNot required
No action by any other user or administrator is needed to trigger the vulnerability; the attacker operates entirely on their own.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special conditions such as race-timing or knowledge of memory layout.
Blast Radius
- A successful attacker reads all data managed by Oracle Enterprise Manager Base Platform, including credentials, monitored-target configurations, and stored monitoring metadata.
- The attacker can write to or delete any data on the platform, modifying monitoring configurations, targets, or stored credentials.
- The attacker can crash or fully disable the Oracle Enterprise Manager service, removing visibility and control over all managed infrastructure.
- Due to the CVSS scope change, the attacker can pivot from the Enterprise Manager component to compromise additional products and systems managed or reachable through the platform.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-46852 is active across all customer scanning environments, matching any image that carries Oracle Enterprise Manager Base Platform at affected versions 13.5 or 24.1. Because Oracle has not yet published a fix, HarborGuard monitors the Oracle advisory and NVD record on every ingest cycle. The moment a patched release is available upstream, a rebuilt image at the fix version becomes available on HarborGuard automatically. For customers with auto-remediation enabled, that triggers a full rebuild, a regression test run, and a PR opened against affected workloads, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes once the upstream fix is released. In the interim, compensating controls worth considering include restricting HTTPS access to the Enterprise Manager HTTPS endpoint to known-good source IP ranges via network policy, isolating Enterprise Manager nodes from lateral network paths to other managed products to limit scope-change exposure, and auditing low-privilege accounts with access to the platform to reduce the available attacker surface.
- Oracle Corporation / Oracle Enterprise Manager Base Platform13.5 · 24.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H