CVE-2026-46872: Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Install)
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Install). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Manager Base Platform accessible data as well as unauthorized read access to a subset of Oracle Enterprise Manager Base Platform accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H).
Metrics
- CVSS v3.1
- 9.0
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical-severity vulnerability exists in the Install component of Oracle Enterprise Manager Base Platform (versions 13.5 and 24.1). The flaw is reachable over the network via HTTPS and requires a high-privileged account to exploit, with no victim interaction needed; the CVSS v3.1 scope-change flag means successful exploitation can affect systems beyond the directly targeted platform. An attacker who exploits this vulnerability gains the ability to read a subset of accessible data, create, delete, or modify critical data, and cause a complete denial of service through repeated crashes or hangs. No upstream fix has been published yet; HarborGuard is actively tracking this advisory for patch availability.
HarborGuard Coverage
Detection for CVE-2026-46872 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle Oracle Enterprise Manager components. Any image containing an affected version of Oracle Enterprise Manager Base Platform (13.5 or 24.1) is flagged automatically as part of each pipeline scan.
AvailableHarborGuard surfaces this CVE with its full CVSS v3.1 score of 9.0 (Critical), weighted against each customer organization's compliance policy to determine priority and routing. Triage tickets are dispatched to the appropriate team inbox within each customer org based on configured ownership rules for affected image layers.
AvailableBecause no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle ships a remediated release. In the interim, compensating controls such as network-policy isolation for the affected service and egress filtering are surfaced as recommended actions within the HarborGuard console.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle Enterprise Manager Base Platform service over the network via HTTPS; there is no local-only constraint.
- AuthenticationRequired
A high-privileged (administrator-level) account is required; low-privilege accounts are not sufficient to trigger the vulnerability.
- Victim interactionNot required
No user action or social engineering is needed; the attacker can exploit the vulnerability entirely without victim participation.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.
Blast Radius
- Reads a subset of data accessible to Oracle Enterprise Manager Base Platform, including configuration and managed-target metadata.
- Creates, modifies, or deletes critical data across Oracle Enterprise Manager Base Platform, including managed targets and monitoring configuration.
- Causes a complete denial of service by triggering repeated crashes or indefinite hangs of the Oracle Enterprise Manager Base Platform process.
- Because the CVSS scope is changed, damage can extend to additional products and systems managed or monitored by the platform, beyond the directly attacked instance.
How HarborGuard Handles This
Available on HarborGuard: this CVE is ingested and matched against all scanned images on a continuous basis, flagging any image that includes Oracle Enterprise Manager Base Platform at versions 13.5 or 24.1. Because Oracle has not yet published a fix, no patched-image rebuild is currently available; HarborGuard will generate and surface that rebuild automatically as soon as an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will trigger without manual intervention the moment a fix version is detected in the upstream feed. While awaiting a patch, HarborGuard surfaces compensating-control recommendations including network-policy isolation to restrict HTTPS access to the Install component to trusted administrator sources only, egress filtering to limit lateral reach given the scope-change risk, and privilege-review alerts for accounts with high-level access to the platform. The advisory is re-checked on every ingest cycle so patch availability is reflected within minutes of Oracle publishing a fix.
- Oracle Corporation / Oracle Enterprise Manager Base Platform13.5 · 24.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H