HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46888Published Modified CNA oracle

CVE-2026-46888: Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Database Upgrade)

Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Database Upgrade). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Siebel CRM Deployment executes to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in takeover of Siebel CRM Deployment. CVSS 3.1 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
7.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A local privilege escalation vulnerability affects the Database Upgrade component of Oracle Siebel CRM Deployment, versions 17.0 through 26.5. An attacker who already has a low-privileged account on the host where Siebel CRM Deployment runs can exploit this without any additional authentication or user interaction. Successful exploitation results in full takeover of the Siebel CRM Deployment process, giving the attacker read, write, and denial-of-service capability over the affected installation. No fix version has been published by Oracle; HarborGuard tracks this advisory and will surface a patched-image rebuild as soon as an upstream fix is available.

HarborGuard Coverage

Detection

Detection of CVE-2026-46888 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected Oracle Siebel CRM Deployment base layers. Any image in a connected registry or CI pipeline that carries an affected version (17.0 through 26.5) is flagged automatically.

Available
Triage

Triage is available with a CVSS 3.1 score of 7.8 (HIGH), surfaced alongside per-environment compliance policy weighting so that teams with stricter posture thresholds see it elevated accordingly. Routing rules in each customer organization direct the finding to the appropriate team inbox based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle ships a corrected release. In the meantime, customers can apply compensating controls through HarborGuard policy rules, such as network-policy isolation for host access and runtime privilege restrictions on affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityNot required

    The attacker needs an existing shell or process on the host; no network-facing exposure is required to reach the vulnerable component.

  • AuthenticationRequired

    Any low-privilege operating-system account on the host is sufficient; no elevated or administrative credentials are needed.

  • Victim interactionNot required

    No action from another user or administrator is needed to trigger the vulnerability.

  • Attack complexityDetail

    The exploit is reliable and condition-free; Oracle rates this as easily exploitable with no race conditions or special environmental factors required.

Blast Radius

  • Reads all data accessible to the Siebel CRM Deployment process, including database credentials, configuration secrets, and upgrade artifacts stored on disk.
  • Modifies or destroys persisted configuration files, database upgrade scripts, and any data the process has write access to.
  • Crashes or hangs the Siebel CRM Deployment process, blocking database upgrade operations and potentially leaving the database in an inconsistent state.
  • Achieves full takeover of the Siebel CRM Deployment process, enabling an attacker to pivot further into connected database infrastructure.

How HarborGuard Handles This

Available on HarborGuard: every image in connected registries and pipelines is scanned for CVE-2026-46888 and results are surfaced immediately, scoped to the High severity rating (CVSS 7.8). Because Oracle has not yet published a fix for affected versions 17.0 through 26.5, no patched-image rebuild is available at this time. HarborGuard re-evaluates the advisory on each ingest cycle and will generate a rebuild automatically the moment Oracle releases a corrected version. For customers who opt into auto-remediation, that rebuild will trigger a regression-test run and a PR opened against affected workloads as soon as the upstream fix lands. While awaiting a patch, customers can use HarborGuard policy controls to flag or block deployment of images carrying this CVE, and are encouraged to apply compensating controls at the host level, such as restricting local logon to the infrastructure running Siebel CRM Deployment, enforcing least-privilege account policies, and isolating upgrade-phase workloads from broader network segments.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Siebel CRM Deployment
    ≤ 26.5
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References