HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46880Published Modified CNA oracle

CVE-2026-46880: Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security)

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical unauthenticated network vulnerability exists in the Enterprise Infrastructure Security component of Oracle JD Edwards EnterpriseOne Tools, affecting versions 9.2.0.0 through 9.2.26.2. The flaw is reachable over the network via the JDENET protocol without any credentials or user interaction, meaning any attacker who can reach the service can attempt exploitation. Successful exploitation results in full takeover of JD Edwards EnterpriseOne Tools, giving the attacker read, write, and denial-of-service capability over the affected system. No fix version has been published yet; HarborGuard is tracking the advisory and will surface a patched-image rebuild the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including internally built images that bundle JD Edwards EnterpriseOne Tools components. Any image in a customer registry or CI pipeline running an affected version (9.2.0.0 through 9.2.26.2) is flagged automatically.

Available
Triage

HarborGuard scores this vulnerability at CVSS 9.8 (Critical) and is capable of weighting that score against each customer environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix has been published for this CVE, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available immediately once Oracle ships a remediated version. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the JD Edwards EnterpriseOne Tools service over the network via the JDENET protocol; internet- or intranet-exposed deployments are directly at risk.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerability is exploitable by a completely unauthenticated attacker.

  • Victim interactionNot required

    No user action is required; the attacker interacts directly with the service without involving any human on the target side.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race conditions, or environmental setup beyond network access.

Blast Radius

  • A successful attacker reads all data accessible to the EnterpriseOne Tools service, including configuration secrets, credentials, and business records.
  • The attacker writes to or modifies any data the service can reach, including persisted ERP records and system configuration.
  • The attacker crashes or renders the EnterpriseOne Tools service unavailable, disrupting dependent business processes.
  • Full system takeover means the attacker can install backdoors or pivot to other systems reachable from the compromised host.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged at Critical severity and matched against all images in customer registries and pipelines within minutes of ingestion. Because Oracle has not yet published a fix for versions 9.2.0.0 through 9.2.26.2, no patched-image rebuild is available at this time. In the interim, customers should consider applying network-policy isolation to restrict JDENET port access to only trusted source addresses, enabling egress filtering on hosts running EnterpriseOne Tools, and reviewing whether the service needs internet-facing exposure at all. HarborGuard re-evaluates the advisory on every ingest cycle; the moment Oracle publishes a remediated version, a patched-image rebuild becomes available, and customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads automatically.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / JD Edwards EnterpriseOne Tools
    ≤ 9.2.26.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References