HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46854Published Modified CNA oracle

CVE-2026-46854: Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Target Management)

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Target Management). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical vulnerability exists in the Target Management component of Oracle Enterprise Manager Base Platform, affecting versions 13.5 and 24.1. The flaw is reachable over HTTP from any network-connected host and requires only a low-privilege account to exploit, with no victim interaction needed. Successful exploitation gives an attacker full takeover of the platform, including complete read, write, and availability control over Enterprise Manager itself and potentially other connected products due to a scope change. No upstream fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-46854 is ingested from upstream advisory feeds within minutes of publication and matched against all customer container images, including custom-built images derived from Oracle Enterprise Manager base layers. Any image carrying an affected version of Oracle Enterprise Manager Base Platform (13.5 or 24.1) will be flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at its full CVSS 3.1 rating of 9.9 (Critical) and weighting it against each customer environment's compliance policy to surface it at the appropriate priority. Triage routing is available to direct findings to the correct team or inbox within each customer organization based on their configured alert rules.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream patch is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Enterprise Manager HTTP interface over the network; no local or physical access is required.

  • AuthenticationRequired

    Any low-privilege account on the platform is sufficient; no administrative credentials are needed.

  • Victim interactionNot required

    The attacker can complete exploitation without any action from another user.

  • Attack complexityDetail

    Exploitation is reliable and imposes no special environmental conditions, race conditions, or configuration prerequisites.

Blast Radius

  • A successful attacker achieves full takeover of Oracle Enterprise Manager Base Platform, reading all stored credentials, monitored-target configurations, and management data.
  • The attacker can modify or destroy any data managed by the platform, including monitoring rules, target configurations, and audit records.
  • The attacker can render Oracle Enterprise Manager Base Platform fully unavailable, disrupting visibility into and control over all managed targets.
  • Due to the CVSS scope change, systems and products connected to or managed by the platform are exposed to lateral compromise beyond the initial entry point.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against customer images on every scan cycle, and any image running Oracle Enterprise Manager Base Platform 13.5 or 24.1 is flagged at Critical priority. Because Oracle has not yet published a fix version, no patched-image rebuild is available at this time. HarborGuard re-checks the advisory on each ingest cycle and will make a rebuild available, and trigger the auto-remediation flow (rebuild, regression run, and PR) for customers who have that option enabled, the moment Oracle publishes a patch. In the interim, customers should consider compensating controls such as network-policy rules that restrict HTTP access to Oracle Enterprise Manager to known, trusted source addresses; egress filtering to limit the platform's outbound reach; and if feasible, temporary disablement of the Target Management component for non-essential environments. The advisory will be updated here when upstream patch status changes.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Enterprise Manager Base Platform
    13.5 · 24.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References