How is CVE-2026-46890 exploited?

Network reachability (required): The attacker must be able to reach the Siebel Apps - Marketing service over the network via HTTP; there is no local-only restriction. Authentication (not-required): No credentials of any kind are needed; the vulnerable endpoint is accessible to unauthenticated requests. Victim interaction (not-required): The attacker does not need any user on the target system to take an action; exploitation is fully attacker-driven. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions, special configurations, or environmental factors required.

What is the impact of CVE-2026-46890?

A successful attacker reads all data accessible to the Siebel Apps - Marketing component, including campaign data, contact records, and any credentials or tokens stored by the application. A successful attacker writes to or modifies persisted marketing data, campaign configurations, and application state, enabling manipulation of business records. A successful attacker crashes or otherwise disrupts the Siebel Apps - Marketing service, making it unavailable to legitimate users. Full application takeover means the attacker can chain further access into backend systems or databases that the Marketing component is authorized to reach.

Back to search

CRITICALCVE-2026-46890Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46890: Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing)

Vulnerability in the Siebel Apps - Marketing product of Oracle Siebel CRM (component: Marketing). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps - Marketing. Successful attacks of this vulnerability can result in takeover of Siebel Apps - Marketing. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unauthenticated remote exploitation vulnerability affects the Marketing component of Oracle Siebel CRM (versions 17.0 through 26.5). An attacker with HTTP network access can reach the vulnerable component without any credentials or user interaction, and successful exploitation results in full takeover of the Siebel Apps - Marketing application, including read, write, and denial-of-service impact. No fix versions have been published yet; HarborGuard is tracking this advisory and will surface a patched-image rebuild the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection of CVE-2026-46890 is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from affected Oracle Siebel base layers. Any image carrying an affected version of Siebel Apps - Marketing (17.0 through 26.5) is flagged automatically.

Available

Triage

Triage is available with a CVSS 3.1 score of 9.8 (Critical), surfaced alongside each customer organization's compliance policy weighting to determine urgency and escalation path. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle releases a corrected version. In the interim, HarborGuard surfaces the affected images and supports policy-driven compensating controls such as network-policy isolation to reduce exposure until a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Siebel Apps - Marketing service over the network via HTTP; there is no local-only restriction.
AuthenticationNot required
No credentials of any kind are needed; the vulnerable endpoint is accessible to unauthenticated requests.
Victim interactionNot required
The attacker does not need any user on the target system to take an action; exploitation is fully attacker-driven.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions, special configurations, or environmental factors required.

Blast Radius

A successful attacker reads all data accessible to the Siebel Apps - Marketing component, including campaign data, contact records, and any credentials or tokens stored by the application.
A successful attacker writes to or modifies persisted marketing data, campaign configurations, and application state, enabling manipulation of business records.
A successful attacker crashes or otherwise disrupts the Siebel Apps - Marketing service, making it unavailable to legitimate users.
Full application takeover means the attacker can chain further access into backend systems or databases that the Marketing component is authorized to reach.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46890, the platform monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment an upstream fix is released. In the meantime, customers can use HarborGuard's policy engine to enforce network-policy isolation on any image carrying Siebel Apps - Marketing 17.0 through 26.5, restricting inbound HTTP access to known-safe source ranges and reducing the exploitable attack surface while a vendor patch is pending. All affected images remain flagged at Critical priority in the HarborGuard dashboard until the advisory is resolved.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Siebel Apps - Marketing
≤ 26.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified