HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46893Published Modified CNA oracle

CVE-2026-46893: Vulnerability in the JD Edwards EnterpriseOne General Ledger product of Oracle JD Edwards (component: E1 Foundation)

Vulnerability in the JD Edwards EnterpriseOne General Ledger product of Oracle JD Edwards (component: E1 Foundation). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via SMB to compromise JD Edwards EnterpriseOne General Ledger. While the vulnerability is in JD Edwards EnterpriseOne General Ledger, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne General Ledger. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a critical-severity remote code execution vulnerability in Oracle JD Edwards EnterpriseOne General Ledger (component: E1 Foundation), version 9.2. An attacker with a low-privilege account can reach the service over the network via SMB and exploit this flaw without any victim interaction. Successful exploitation results in full takeover of the General Ledger component, with impact extending to additional products in scope due to a CVSS scope change. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46893 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream Oracle and NVD feeds. This matching covers custom-built images that bundle JD Edwards EnterpriseOne components, not only official vendor images.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 9.9 (Critical) and weighting it against each customer organization's compliance policy to surface it at the appropriate severity tier. Routing rules within each environment can direct the alert to the team responsible for ERP or financial-systems workloads.

Available
Patch

Because no fix version has been published by Oracle as of the CVE publication date, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the affected service over the network via SMB; the component exposes an over-the-network attack surface (AV:N).

  • AuthenticationRequired

    Any low-privilege account on the system is sufficient; no administrative or elevated credentials are needed (PR:L).

  • Victim interactionNot required

    No user action, click, or social-engineering step is needed to trigger the vulnerability (UI:N).

  • Attack complexityDetail

    The exploit is reliable and condition-free with no race conditions or special environmental factors required (AC:L).

Blast Radius

  • A successful attacker achieves full takeover of JD Edwards EnterpriseOne General Ledger, reading all stored financial records, journal entries, and account data.
  • The attacker can modify or delete persisted ledger rows and General Ledger configuration, corrupting financial data integrity.
  • The attacker can crash or deny availability of the General Ledger service, halting financial processing workflows.
  • Due to the CVSS scope change, other products integrated with the E1 Foundation component are also exposed to the same confidentiality, integrity, and availability impacts.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix version for this Critical-rated CVE (CVSS 9.9), HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild opportunity the moment upstream publishes one. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point. In the interim, compensating controls worth evaluating include network-policy isolation to restrict SMB access to the JD Edwards General Ledger component to only authorized internal hosts, egress filtering to limit lateral movement if the component is compromised, and feature-flag or role-based gating to reduce the number of accounts that hold even low-privilege access to the E1 Foundation component. Customers with strict compliance policies that require documented risk acceptance for unpatched Critical CVEs can use HarborGuard's policy engine to flag and route this finding accordingly.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / JD Edwards EnterpriseOne General Ledger
    9.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References