CVE-2026-46901: Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core)
Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Command Center Framework. While the vulnerability is in Oracle Enterprise Command Center Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Command Center Framework accessible data as well as unauthorized access to critical data or complete access to all Oracle Enterprise Command Center Framework accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical-severity vulnerability affects the Core component of Oracle Enterprise Command Center Framework (part of Oracle E-Business Suite), versions V15 and V16. The flaw is reachable over the network via HTTP and requires only a low-privilege account, with no victim interaction needed; the CVSS scope is changed, meaning a successful attacker can affect systems beyond the directly targeted component. Successful exploitation gives the attacker full read and write access to all data accessible by the framework and the ability to partially disrupt service. HarborGuard is tracking the upstream Oracle advisory for patch availability, as no fix versions have been published yet.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Oracle Enterprise Command Center Framework V15 or V16. Any image carrying an affected version is flagged immediately in the pipeline scan results.
AvailableHarborGuard scores this CVE at CVSS 9.9 (Critical) and weights it against each environment's compliance policy to determine urgency and routing. Findings are surfaced to the appropriate team inbox within each customer organization based on policy-configured ownership rules.
AvailableBecause no upstream fix has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle ships a corrective patch. In the meantime, customers with auto-remediation enabled can apply compensating controls through HarborGuard's policy engine, such as network-isolation rules that restrict HTTP access to the affected service.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle Enterprise Command Center Framework service over the network via HTTP; no physical or local access is needed.
- AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative credentials.
- Victim interactionNot required
No user interaction is needed; the attacker can exploit the vulnerability entirely without involving another person.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special race conditions or environmental pre-conditions.
Blast Radius
- Reads all data accessible to Oracle Enterprise Command Center Framework, including critical business data stored in E-Business Suite.
- Creates, modifies, or deletes critical or all accessible data within the framework, allowing persistent tampering with business records.
- Affects systems beyond the directly targeted component due to scope change, so adjacent Oracle E-Business Suite products sharing the environment are exposed.
- Partially disrupts service availability of the Oracle Enterprise Command Center Framework, degrading dashboard and command-center functionality for users.
How HarborGuard Handles This
Available on HarborGuard: this CVE is monitored continuously against every customer image registry and build pipeline for containers running Oracle Enterprise Command Center Framework V15 or V16. Because Oracle has not yet published a fix, HarborGuard re-evaluates the advisory on each ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment an upstream patch becomes available. While no fix exists, teams can use HarborGuard's policy engine to apply compensating controls: network-policy isolation to restrict inbound HTTP access to the affected service, egress filtering to limit lateral movement if the service is compromised, and feature-flag gating to disable non-essential framework components where compliance policy permits. The advisory status is surfaced in the HarborGuard dashboard so security and platform teams have a single place to monitor resolution progress.
- Oracle Corporation / Oracle Enterprise Command Center FrameworkV15 · V16
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L