How is CVE-2026-46857 exploited?

Network reachability (required): The attacker must be able to reach the Oracle Management Service over the network via HTTP; any internet- or intranet-exposed instance is in scope. Authentication (not-required): No credentials or session token of any kind are required; the attack is available to any unauthenticated party with network access. Victim interaction (not-required): The attacker does not need to trick or involve any user; exploitation is fully server-side and requires no human action on the target system. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites.

What is the impact of CVE-2026-46857?

A successful attacker gains full control over the Oracle Enterprise Manager Base Platform instance, including the ability to read all managed-target credentials, monitoring data, and configuration stored within the platform. The attacker can modify or delete monitoring policies, agent configurations, and job definitions across every managed target registered with the compromised Enterprise Manager installation. The attacker can crash or render unavailable the Oracle Management Service and all dependent monitoring and automation workflows, causing a complete loss of observability for managed infrastructure. Because Enterprise Manager holds credentials for downstream managed databases and hosts, a compromise provides a pivot point to laterally access those systems.

Back to search

CRITICALCVE-2026-46857Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46857: Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Oracle Management Service)

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Oracle Management Service). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated remote code execution vulnerability affects Oracle Enterprise Manager Base Platform versions 13.5 and 24.1, specifically the Oracle Management Service component. The vulnerability is reachable over HTTP with no authentication required and no victim interaction needed, making it trivially exploitable from any network-accessible position. Successful exploitation results in full takeover of the Oracle Enterprise Manager Base Platform, affecting confidentiality, integrity, and availability. No fix version has been published by Oracle; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle Enterprise Manager Base Platform components. Any image in a connected registry or CI/CD pipeline running versions 13.5 or 24.1 of the affected component is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector and surfaces it at the top of affected-image queues. Per-environment compliance policy weighting is applied so that teams with stricter SLOs for critical-severity findings receive priority routing to the appropriate inbox within each customer organization.

Available

Patch

Because no fix version has been published by Oracle, no patched-image rebuild is available at this time. HarborGuard re-checks the Oracle advisory and upstream feeds on every ingest cycle; the moment Oracle publishes a fix, a patched-image rebuild will become available automatically, and customers with auto-remediation enabled will receive a rebuild, regression-test run, and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Oracle Management Service over the network via HTTP; any internet- or intranet-exposed instance is in scope.
AuthenticationNot required
No credentials or session token of any kind are required; the attack is available to any unauthenticated party with network access.
Victim interactionNot required
The attacker does not need to trick or involve any user; exploitation is fully server-side and requires no human action on the target system.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory-layout knowledge, or environmental prerequisites.

Blast Radius

A successful attacker gains full control over the Oracle Enterprise Manager Base Platform instance, including the ability to read all managed-target credentials, monitoring data, and configuration stored within the platform.
The attacker can modify or delete monitoring policies, agent configurations, and job definitions across every managed target registered with the compromised Enterprise Manager installation.
The attacker can crash or render unavailable the Oracle Management Service and all dependent monitoring and automation workflows, causing a complete loss of observability for managed infrastructure.
Because Enterprise Manager holds credentials for downstream managed databases and hosts, a compromise provides a pivot point to laterally access those systems.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked at CRITICAL severity with no upstream fix currently published. For images containing Oracle Enterprise Manager Base Platform 13.5 or 24.1, HarborGuard flags the affected image immediately upon scan and routes the finding to the team inbox defined in each environment's compliance policy. While no patched rebuild is available from Oracle, compensating controls can be applied at the infrastructure level: network-policy isolation to restrict HTTP access to the Oracle Management Service to known management subnets, egress filtering to limit outbound connections from the OMS host, and disabling any externally exposed OMS endpoints where operationally feasible. HarborGuard will re-evaluate the advisory on every ingest cycle, and the moment Oracle publishes a fix, a patched-image rebuild will become available. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will follow automatically, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes once an upstream fix is in place.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle Enterprise Manager Base Platform
13.5 · 24.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified