HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46883Published Modified CNA oracle

CVE-2026-46883: Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security)

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a critical-severity vulnerability in the Enterprise Infrastructure Security component of Oracle JD Edwards EnterpriseOne Tools, affecting versions 9.2.0.0 through 9.2.26.2. An unauthenticated attacker with network access over the JDENET protocol can reach the affected component without any credentials or victim interaction. Successful exploitation results in full takeover of JD Edwards EnterpriseOne Tools, including complete loss of confidentiality, integrity, and availability. No fix version has been published by Oracle; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-46883 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle JD Edwards EnterpriseOne Tools components. Any image running an affected version in the 9.2.0.0 to 9.2.26.2 range is flagged automatically across connected registries and CI/CD pipelines.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 base score of 9.8 (Critical) and weighting it against each customer organization's configured compliance policy to determine urgency and routing. Findings are routable to the appropriate team inbox within each customer org based on image ownership and policy thresholds.

Available
Patch

Because no upstream fix version has been published for CVE-2026-46883, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle ships a remediated release. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention once a fix becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the JD Edwards EnterpriseOne Tools service over the network via the JDENET protocol; any system with network access to the exposed port is a viable attack origin.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerable endpoint accepts unauthenticated requests.

  • Victim interactionNot required

    The attack is entirely server-side and requires no action from any user or administrator.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race wins, or environmental setup.

Blast Radius

  • A successful attacker gains full control over the JD Edwards EnterpriseOne Tools process, enabling arbitrary code or command execution on the host.
  • All data accessible to the application is exposed, including business-critical ERP records, credentials, and configuration secrets.
  • The attacker can modify or destroy persisted application data, corrupting business transactions and audit trails.
  • The attacker can crash or indefinitely disrupt the EnterpriseOne Tools service, taking dependent business processes offline.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46883, the platform monitors the upstream advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a remediated release appears. In the interim, compensating controls are available to reduce exposure: network-policy isolation to restrict inbound access to JDENET ports only from trusted source ranges, egress filtering to limit lateral movement if a host is compromised, and feature-flag or service-level gating to disable externally reachable JDENET endpoints where operationally feasible. For customers who opt into auto-remediation, the full rebuild, regression-test, and PR flow will activate without manual steps as soon as upstream ships. The advisory status is visible in the HarborGuard dashboard, and policy-based alerting can be configured to notify the responsible team if the CVSS 9.8 severity threshold is crossed in any newly scanned image.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / JD Edwards EnterpriseOne Tools
    ≤ 9.2.26.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References