HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46900Published Modified CNA oracle

CVE-2026-46900: Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core)

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical-severity vulnerability affects the Core component of Oracle Enterprise Command Center Framework (part of Oracle E-Business Suite) versions V15 and V16. The flaw is reachable over HTTPS by any low-privileged authenticated user with network access, requiring no victim interaction and no complex setup. Successful exploitation gives the attacker full control over the Framework, with scope-changing impact that can spill over into additional products sharing the same environment, enabling complete takeover including reads of all data, arbitrary writes, and service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46900 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images derived from Oracle E-Business Suite base layers. Any image containing an affected V15 or V16 build of Oracle Enterprise Command Center Framework is flagged automatically.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v3.1 base score of 9.9 (Critical), weighted against each customer org's configured compliance policy, and routes findings to the appropriate team inbox based on image ownership and severity thresholds set by that org.

Available
Patch

Because Oracle has not yet published a fix version, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Enterprise Command Center Framework service over the network via HTTPS; no local or physical access is required.

  • AuthenticationRequired

    A valid low-privilege account is sufficient; the attacker does not need admin or elevated credentials, but unauthenticated access is not enough.

  • Victim interactionNot required

    The attacker can exploit this vulnerability without any action from another user.

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental factors are needed.

Blast Radius

  • A successful attacker gains full read access to all data held by the Framework, including stored credentials, session tokens, and business intelligence records.
  • The attacker can write or modify any data within the Framework, corrupting reports, altering configurations, or escalating privileges further.
  • The Framework process can be crashed or made unavailable, disrupting E-Business Suite operations that depend on it.
  • Because the CVSS scope is changed, co-located or downstream products sharing the same environment are also at risk of compromise beyond the Framework itself.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously against all scanned images, with no fix version currently available from Oracle. Until Oracle publishes a patch, recommended compensating controls include tightening network policy to restrict HTTPS access to the Framework to only explicitly authorized internal IP ranges, applying egress filtering to limit lateral movement if the Framework is compromised, and reviewing which low-privilege accounts have access to the affected component. HarborGuard will automatically surface a patched-image rebuild and, for customers with auto-remediation enabled, trigger the full rebuild, regression run, and PR flow the moment Oracle releases a fix. The advisory is re-evaluated on every ingest cycle so no manual monitoring is needed.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Enterprise Command Center Framework
    V15 · V16
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References