HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46856Published Modified CNA oracle

CVE-2026-46856: Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin)

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Metadata Plugin). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical cross-scope vulnerability exists in the Metadata Plugin component of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1). The flaw is reachable over HTTP from the network without any authentication, but requires a victim to perform some interaction, such as clicking a crafted link or visiting a malicious page. Successful exploitation results in full takeover of Oracle Enterprise Manager Base Platform, with high impact to confidentiality, integrity, and availability, and the scope change indicator means the compromise can spill into adjacent systems beyond the directly affected product. No fix versions have been published yet; HarborGuard is tracking the advisory and will make a patched rebuild available as soon as Oracle ships an upstream fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Oracle Enterprise Manager Base Platform components.

Available
Triage

Triage capability is available using the CVSS 3.1 base score of 9.6 (Critical), weighted against each customer organization's configured compliance policy; findings are routed automatically to the appropriate team inbox within the customer org based on image ownership and policy rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on each ingest cycle and will surface a patched-image rebuild the moment Oracle publishes a remediated release. In the meantime, advisory-level findings remain open and visible in each customer environment's vulnerability queue.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Enterprise Manager Base Platform service over the network via HTTP; no local or physical access is required.

  • AuthenticationNot required

    No credentials or account of any privilege level are needed; the attack path is fully unauthenticated.

  • Victim interactionRequired

    A person other than the attacker must take an action, such as clicking a crafted link or loading a malicious page, for the exploit to succeed.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

  • A successful attacker reads all data accessible to Oracle Enterprise Manager Base Platform, including managed target credentials, monitoring configuration, and stored session material.
  • The attacker can modify or delete persisted configuration data, managed-target definitions, and monitoring policies within the platform.
  • The attacker can crash or otherwise render the Enterprise Manager service unavailable, disrupting monitoring and management of all connected targets.
  • Because the CVSS scope is changed, compromise can extend beyond Oracle Enterprise Manager itself into other products and systems that the platform manages or communicates with.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-46856 at this time, HarborGuard continuously re-checks the Oracle advisory on every ingest cycle and will generate a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a fix version is published. While awaiting an upstream fix, compensating controls to consider include applying strict network-policy rules to limit HTTP access to the Oracle Enterprise Manager Base Platform service to known management hosts only, enabling egress filtering to reduce the reach of a scope-change scenario, and disabling or sandboxing the Metadata Plugin component if it is not operationally required. Affected version tags (13.5 and 24.1) are flagged in every customer image scan where HarborGuard can identify the component, and findings remain open and visible in each environment's vulnerability queue until an upstream fix is confirmed.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Enterprise Manager Base Platform
    13.5 · 24.1
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References