HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46887Published Modified CNA oracle

CVE-2026-46887: Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing)

Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a critical-severity vulnerability in the Marketing component of Oracle Siebel CRM (versions 17.0 through 26.5). An unauthenticated attacker with network access over HTTP can reach the affected component without any special privileges or victim interaction, making it trivially reachable from the internet or internal networks. Successful exploitation results in full takeover of the Siebel Apps - Marketing instance, giving the attacker control over its confidentiality, integrity, and availability. No fix versions have been published by Oracle; HarborGuard is tracking this advisory and will surface a patched-image rebuild the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-46887 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from Oracle Siebel base layers. Any image containing an affected version of the Marketing component (17.0 through 26.5) is flagged automatically.

Available
Triage

Triage is available using the CVSS 3.1 base score of 9.8 (Critical), weighted against each environment's compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available immediately when Oracle ships a remediated version. In the interim, customers can use HarborGuard's policy controls to flag or block deployment of images containing affected versions and to apply network-isolation compensating controls.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Siebel Apps - Marketing service over the network via HTTP; no local or physical access is required, meaning internet- or intranet-exposed deployments are directly at risk.

  • AuthenticationNot required

    No account or credential of any kind is needed; the attacker can send malicious requests to the service as an anonymous user.

  • Victim interactionNot required

    No user action, click, or session is required on the part of anyone running or using the affected system.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and requires no special timing, race condition, or environmental setup to succeed.

Blast Radius

  • The attacker reads all data accessible to the Siebel Marketing component, including campaign records, contact lists, and any credentials or tokens stored in the application.
  • The attacker writes or modifies persisted marketing data, campaign configurations, and application state, enabling data manipulation or poisoning.
  • The attacker can crash or render the Siebel Apps - Marketing service unavailable, disrupting campaign operations and dependent workflows.
  • Full application takeover means the attacker can establish persistence, pivot to connected backend systems, or exfiltrate the entire data set managed by the component.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46887, the platform monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a remediated version is released upstream. In the meantime, customers can apply compensating controls through HarborGuard's policy engine: network-policy rules can be generated to restrict HTTP access to affected Siebel Marketing instances to known internal CIDR ranges, and deployment-blocking policies can prevent images carrying versions 17.0 through 26.5 from being promoted to production environments. Given the CVSS score of 9.8 and the zero-authentication exploit path, treating any image containing this component as high-risk until an upstream fix is available is the recommended posture.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Siebel Apps - Marketing
    ≤ 26.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References