HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46899Published Modified CNA oracle

CVE-2026-46899: Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core)

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a critical-severity vulnerability in the Core component of Oracle Enterprise Command Center Framework, part of Oracle E-Business Suite versions V15 and V16. An attacker with a low-privilege account and network access over HTTP can reach the affected component without any special configuration or victim interaction, and the vulnerability carries a scope change meaning successful exploitation extends impact beyond the directly targeted component. A successful attack grants the attacker full read access to all data accessible within Oracle Enterprise Command Center Framework as well as the ability to create, modify, or delete critical data. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46899 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. This matching covers custom-built images that bundle Oracle E-Business Suite components, not only images pulled directly from Oracle Container Registry.

Available
Triage

HarborGuard is capable of surfacing CVE-2026-46899 with its CVSS 3.1 Base Score of 9.6 (Critical) and applying each customer organization's compliance policy weighting to determine priority. Triage routing is available to direct the finding to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Enterprise Command Center Framework service over the network via HTTP; there is no requirement for local or physical access.

  • AuthenticationRequired

    Any valid low-privilege account is sufficient; the attacker does not need administrative or elevated credentials to trigger the vulnerability.

  • Victim interactionNot required

    No user action is needed; the attacker can exploit the vulnerability directly without involving any other person.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors outside the attacker's control.

Blast Radius

  • Reads all data accessible within Oracle Enterprise Command Center Framework, including sensitive business intelligence data surfaced through EBS dashboards.
  • Reads critical data in products outside the directly targeted component due to the scope change in the CVSS vector.
  • Creates, modifies, or deletes critical data within Oracle Enterprise Command Center Framework, allowing persistent tampering with business records.
  • Modifies or destroys data in additional in-scope Oracle E-Business Suite products that share the affected framework component.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix version for CVE-2026-46899, the platform monitors the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. In the interim, customers can apply compensating controls through HarborGuard network policy suggestions, including isolating container workloads that bundle Oracle Enterprise Command Center Framework V15 or V16 behind strict ingress rules to limit HTTP reachability to trusted internal sources only, and applying egress filtering to restrict lateral movement in the event a low-privilege account is compromised. For customers with auto-remediation enabled, the full rebuild, regression test, and PR flow will activate without manual steps as soon as a fix version is published upstream. All customers can monitor the advisory status directly from the CVE detail page, which reflects feed updates within minutes of Oracle releasing new information.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Enterprise Command Center Framework
    V15 · V16
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
References