How is CVE-2026-46886 exploited?

Network reachability (required): The attacker must reach the Siebel Apps - Marketing service over the network via HTTP; no local or physical access is assumed. Authentication (required): Any low-privilege account is sufficient; the attacker does not need administrative credentials. Victim interaction (not-required): No victim action such as clicking a link or opening a file is needed for exploitation. Attack complexity (info): Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race timing, or memory-layout knowledge.

What is the impact of CVE-2026-46886?

A successful attacker reads all data accessible to the Siebel Marketing application, including campaign records, contact lists, and stored credentials. The attacker can modify or delete persisted marketing data, campaign configurations, and application settings. The attacker can crash or otherwise take over the Siebel Apps - Marketing service, causing a full denial of service for marketing operations. Full application takeover means the attacker can pivot using the application's identity and network position to reach adjacent internal services.

Back to search

HIGHCVE-2026-46886Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46886: Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing)

Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An easily exploitable vulnerability exists in the Marketing component of Oracle Siebel CRM (Siebel Apps - Marketing), affecting versions 17.0 through 26.5. The flaw is reachable over the network via HTTP and requires only a low-privileged account, with no victim interaction needed. Successful exploitation gives an attacker full control over the affected Siebel Apps - Marketing instance, impacting confidentiality, integrity, and availability. No fix versions have been published yet; HarborGuard is tracking the Oracle advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against container images in customer registries and CI/CD pipelines, including custom-built images that bundle Oracle Siebel components.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 (High) and weighting it against each environment's compliance policy to surface it at the appropriate severity tier; routing to the correct team inbox within a customer org is handled automatically based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle ships a corrected release. In the meantime, customers can use HarborGuard's policy controls to flag any image containing the affected component for manual review or blocking at the pipeline gate.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Siebel Apps - Marketing service over the network via HTTP; no local or physical access is assumed.
AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative credentials.
Victim interactionNot required
No victim action such as clicking a link or opening a file is needed for exploitation.
Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and requires no special conditions, race timing, or memory-layout knowledge.

Blast Radius

A successful attacker reads all data accessible to the Siebel Marketing application, including campaign records, contact lists, and stored credentials.
The attacker can modify or delete persisted marketing data, campaign configurations, and application settings.
The attacker can crash or otherwise take over the Siebel Apps - Marketing service, causing a full denial of service for marketing operations.
Full application takeover means the attacker can pivot using the application's identity and network position to reach adjacent internal services.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46886 is active across all connected registries and pipelines, matching images that include Oracle Siebel Apps - Marketing versions 17.0 through 26.5. Because Oracle has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild option as soon as an upstream fix is released. For customers who opt into auto-remediation, that rebuild will automatically trigger a regression test run and a PR against affected workloads. While no patch is available, recommended compensating controls include applying network policy to restrict inbound HTTP access to the Siebel Marketing component to authorized internal IP ranges only, enforcing egress filtering to limit lateral movement from a compromised instance, and using HarborGuard's pipeline gate policy to block promotion of images containing the affected component to production environments until a fix is available.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Siebel Apps - Marketing
≤ 26.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified