HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46892Published Modified CNA oracle

CVE-2026-46892: Vulnerability in the JD Edwards EnterpriseOne Human Resources Management product of Oracle JD Edwards (component: Human Resources)

Vulnerability in the JD Edwards EnterpriseOne Human Resources Management product of Oracle JD Edwards (component: Human Resources). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Human Resources Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Human Resources Management accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Human Resources Management accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a critical-severity unauthenticated access-control vulnerability in the Human Resources component of Oracle JD Edwards EnterpriseOne Human Resources Management version 9.2. The flaw is reachable over HTTP from any network location with no credentials required, and carries a CVSS 3.1 score of 9.1. Successful exploitation gives an attacker full read access to all HR data in the system and the ability to create, modify, or delete any records within the Human Resources module. No fix version has been published by Oracle; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-46892 is available across every HarborGuard environment - the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against customer images, including custom-built images that bundle the JD Edwards EnterpriseOne 9.2 stack. Any image found to carry an affected version is flagged automatically in the customer's pipeline.

Available
Triage

Triage is available with the full CVSS 3.1 score of 9.1 (Critical) surfaced alongside each finding, weighted against the per-environment compliance policy configured by the customer organization. Findings are routed to the appropriate team inbox based on policy rules, so the right engineers see the alert without manual sorting.

Available
Patch

Because no upstream fix version has been published for this CVE, no patched-image rebuild is currently available. HarborGuard re-checks the Oracle advisory and upstream package feeds on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle publishes a fix version.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the JD Edwards EnterpriseOne HTTP interface over the network; any host with network access to the service is in scope.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerability is exploitable by a completely unauthenticated attacker.

  • Victim interactionNot required

    The attack is fully server-side and requires no action from any user or administrator on the target system.

  • Attack complexityDetail

    Exploit complexity is low, meaning no race conditions, special memory layout, or non-standard environmental conditions are required for reliable exploitation.

Blast Radius

  • Reads all data accessible to the JD Edwards EnterpriseOne HR module, including employee records, compensation details, and personally identifiable information.
  • Creates, modifies, or deletes critical HR records such as employee profiles, payroll data, and organizational structure entries.
  • Provides complete data-level access to every record the Human Resources component can reach, with no partial-access limitation.
  • Integrity loss extends to audit trails and HR transactions, enabling an attacker to cover modifications or inject false records.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix version for CVE-2026-46892, the immediate capability is continuous advisory monitoring and compensating-control guidance. HarborGuard re-checks the upstream Oracle advisory on every ingest cycle, typically every few minutes, and will trigger an automated patched-image rebuild the moment a fix version is released. In the interim, customers are advised to use HarborGuard network-policy isolation recommendations to restrict HTTP access to JD Edwards EnterpriseOne HR endpoints to only explicitly authorized internal hosts, apply egress filtering to limit what the affected service can reach if compromised, and consider feature-flag or WAF-layer gating in front of the Human Resources component if the deployment platform supports it. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will trigger automatically once the upstream patch is available, with no manual intervention required.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / JD Edwards EnterpriseOne Human Resources Management
    9.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References