HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46889Published Modified CNA oracle

CVE-2026-46889: Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing)

Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical unauthenticated remote compromise vulnerability exists in the Marketing component of Oracle Siebel CRM (Siebel Apps - Marketing), affecting versions 17.0 through 26.5. An attacker with HTTP access to the service requires no credentials and no victim interaction to exploit this flaw over the network. Successful exploitation results in full takeover of the affected Siebel Apps - Marketing instance, including complete loss of confidentiality, integrity, and availability. No fix version has been published by Oracle; HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-46889 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images derived from Oracle Siebel base layers. Any image found to carry an affected version of the Siebel Apps - Marketing component (17.0-26.5) is flagged immediately.

Available
Triage

Triage is available with a CVSS v3.1 base score of 9.8 (Critical), surfaced alongside each customer organization's compliance policy weighting to ensure severity is interpreted in the right operational context. Findings are routed to the appropriate team inbox within each customer org based on configured ownership rules for the affected image or workload.

Available
Patch

Because no upstream fix version has been published for CVE-2026-46889, no patched-image rebuild is currently available. HarborGuard re-evaluates the Oracle advisory on every ingest cycle and will make a patched rebuild available automatically, with auto-remediation customers receiving a rebuild, regression test run, and PR against affected workloads, the moment Oracle publishes a corrected version.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Siebel Apps - Marketing service over the network via HTTP; no local or physical access is needed, making any internet- or intranet-exposed deployment a viable target.

  • AuthenticationNot required

    No credentials of any kind are required; an unauthenticated attacker can send exploit traffic directly to the service.

  • Victim interactionNot required

    The attacker does not need to trick or wait for any user to take an action; the exploit is entirely attacker-driven.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and repeatable without depending on race conditions, specific memory layout, or any other environmental pre-condition.

Blast Radius

  • Reads all data accessible to the Siebel Marketing application, including campaign records, contact lists, and any stored credentials or session tokens.
  • Modifies or deletes marketing data, campaign configurations, and persisted application state.
  • Crashes or renders the Siebel Apps - Marketing service unavailable, disrupting campaign operations and dependent integrations.
  • Achieves full application-level takeover, enabling the attacker to pivot to backend systems reachable from the compromised instance.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46889, no patched-image rebuild can be generated at this time. HarborGuard monitors the Oracle advisory on every ingest cycle and will trigger the rebuild-and-PR flow automatically for customers with auto-remediation enabled the moment a corrected version is published. In the interim, customers can reduce exposure through compensating controls: apply network policy to restrict HTTP ingress to the Siebel Marketing component to known, trusted source ranges; enforce egress filtering to limit lateral movement from a compromised instance; and, where application design permits, gate the Marketing component behind an authenticated reverse proxy or WAF rule to add an authentication layer that the vulnerability itself does not enforce. Customers who want proactive notification when Oracle publishes a fix can subscribe to advisory watch alerts within the HarborGuard console.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Siebel Apps - Marketing
    ≤ 26.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References