How is CVE-2026-46866 exploited?

Network reachability (required): The attacker must reach the Agent Next Gen service over the network via HTTPS; there is no local or physical access requirement. Authentication (not-required): No credentials or account of any kind are needed to trigger this vulnerability. Victim interaction (not-required): The attack is fully automated and requires no action from any user or administrator of the platform. Attack complexity (info): Exploitation is described as easily exploitable with no special conditions, race windows, or environmental prerequisites required.

What is the impact of CVE-2026-46866?

Crashes or permanently hangs the Oracle Enterprise Manager Base Platform service, taking monitoring and management capabilities offline for all users. Allows the attacker to insert, update, or delete rows in data accessible through the Agent Next Gen component, corrupting monitoring configurations, agent records, or managed-target metadata.

Back to search

HIGHCVE-2026-46866Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46866: Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Agent Next Gen)

Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Agent Next Gen). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform as well as unauthorized update, insert or delete access to some of Oracle Enterprise Manager Base Platform accessible data. CVSS 3.1 Base Score 8.2 (Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service and data-tampering vulnerability in Oracle Enterprise Manager Base Platform, specifically in the Agent Next Gen component, affecting versions 13.5 and 24.1. An unauthenticated attacker with network access over HTTPS can reach the component directly, with no login or user interaction required. Successful exploitation causes a complete hang or crash of the platform and allows unauthorized writes, inserts, or deletes against some accessible data. No fix version has been published yet; HarborGuard tracks this advisory and will surface a patched-image rebuild the moment Oracle publishes one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and build pipelines, including custom-built images that package the Oracle Enterprise Manager Agent Next Gen component.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.2 (HIGH) and weighting it further against each environment's compliance policy, then routing the alert to the appropriate team inbox within the customer organization.

Available

Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, customers can review compensating-control recommendations surfaced in the HarborGuard findings panel for this CVE.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Agent Next Gen service over the network via HTTPS; there is no local or physical access requirement.
AuthenticationNot required
No credentials or account of any kind are needed to trigger this vulnerability.
Victim interactionNot required
The attack is fully automated and requires no action from any user or administrator of the platform.
Attack complexityDetail
Exploitation is described as easily exploitable with no special conditions, race windows, or environmental prerequisites required.

Blast Radius

Crashes or permanently hangs the Oracle Enterprise Manager Base Platform service, taking monitoring and management capabilities offline for all users.
Allows the attacker to insert, update, or delete rows in data accessible through the Agent Next Gen component, corrupting monitoring configurations, agent records, or managed-target metadata.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46866 is active across connected environments, matching any image that packages Oracle Enterprise Manager Base Platform 13.5 or 24.1 against this advisory. Because Oracle has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-evaluates the advisory on every ingest cycle and will automatically trigger a rebuild and, for customers with auto-remediation enabled, open a patch PR against affected workloads as soon as Oracle ships a fix. In the meantime, customers are encouraged to consider compensating controls such as network-policy rules that restrict inbound HTTPS access to the Agent Next Gen port to known management hosts only, and egress filtering to limit the component's outbound reach. These controls can be scoped and enforced at the Kubernetes network-policy or host firewall layer without requiring an application change.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle Enterprise Manager Base Platform
13.5 · 24.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

Oracle Advisory

Metrics

Get notified