CVE-2026-46875: Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Deployment Library)
Vulnerability in the Oracle Enterprise Manager Base Platform product of Oracle Enterprise Manager (component: Deployment Library). Supported versions that are affected are 13.5 and 24.1. Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.1
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical-severity vulnerability exists in the Deployment Library component of Oracle Enterprise Manager Base Platform, affecting versions 13.5 and 24.1. An authenticated attacker with administrative network access over HTTPS can exploit this flaw, and because the scope change flag is set in the CVSS vector, a successful attack reaches beyond the directly targeted component. Successful exploitation results in full takeover of the platform, giving the attacker complete control over confidentiality, integrity, and availability, including impact on additional dependent products. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix.
HarborGuard Coverage
Detection of CVE-2026-46875 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Oracle Enterprise Manager Base Platform 13.5 or 24.1. Any image containing an affected version will be flagged in the registry scan and in any CI/CD pipeline stage where HarborGuard is integrated.
AvailableTriage is available with a CVSS 3.1 score of 9.1 (Critical), weighted against each customer organization's compliance policy to determine urgency and escalation path. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.
AvailableNo fix version has been published by Oracle at this time, so no patched-image rebuild is currently available. HarborGuard re-checks the advisory on every ingest cycle and will automatically make a patched rebuild available, triggering the standard rebuild-and-PR flow for customers with auto-remediation enabled, as soon as Oracle ships a fix.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle Enterprise Manager Base Platform service over the network via HTTPS; the service must be accessible from the attacker's location.
- AuthenticationRequired
A high-privileged (administrative) account is required; low-privilege credentials are not sufficient to trigger the vulnerability.
- Victim interactionNot required
No user interaction is needed; the attacker can exploit the vulnerability entirely without involving another user.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other variable environmental factors.
Blast Radius
- A successful attacker gains full read access to all data managed by Oracle Enterprise Manager Base Platform, including monitored target credentials, configuration data, and stored secrets.
- The attacker can modify or destroy any persisted configuration, job definitions, or deployment artifacts within the platform.
- The attacker can crash or render the Enterprise Manager service fully unavailable, disrupting monitoring and management operations for all connected targets.
- Because the CVSS scope is changed, additional products managed or monitored by the platform are also at risk of compromise beyond the directly targeted component.
How HarborGuard Handles This
Available on HarborGuard: CVE-2026-46875 is matched against all images in customer registries and pipelines that include Oracle Enterprise Manager Base Platform 13.5 or 24.1, with findings surfaced at Critical severity (CVSS 9.1). Because Oracle has not yet published a fix, no patched-image rebuild is available at this time. HarborGuard re-evaluates the advisory on every ingest cycle; the moment Oracle releases a patched version, a rebuilt image becomes available, and customers with auto-remediation enabled will automatically receive a rebuild, a regression-test run, and a pull request opened against affected workloads. In the interim, compensating controls worth considering include restricting network access to the Enterprise Manager HTTPS interface to known administrative source addresses via network policy, applying egress filtering to limit lateral reach if a compromise occurs, and auditing which accounts hold high-privileged roles within the platform to reduce the pool of credentials that could be leveraged by an attacker.
- Oracle Corporation / Oracle Enterprise Manager Base Platform13.5 · 24.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H