HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46902Published Modified CNA oracle

CVE-2026-46902: Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core)

Vulnerability in the Oracle Enterprise Command Center Framework product of Oracle E-Business Suite (component: Core). Supported versions that are affected are V15 and V16. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Enterprise Command Center Framework. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Command Center Framework. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an unauthenticated remote compromise vulnerability in the Core component of Oracle Enterprise Command Center Framework, part of Oracle E-Business Suite (versions V15 and V16). An attacker with network access over HTTPS can reach the affected service without any credentials or victim interaction, and exploitation is reliable with no special conditions required. Successful exploitation results in full takeover of the Oracle Enterprise Command Center Framework instance, giving the attacker read, write, and denial-of-service capability over the system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-46902 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that layer Oracle E-Business Suite components. Any image containing an affected version of Oracle Enterprise Command Center Framework (V15 or V16) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector, placing it at the top of the severity queue. Per-environment compliance policy weighting is applied so that findings are routed to the appropriate team inbox within each customer organization based on their configured SLA tiers and ownership rules.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle releases a corrected version. For customers with auto-remediation enabled, the rebuild, regression-test run, and pull request against affected workloads will be triggered without manual intervention as soon as a fix becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Oracle Enterprise Command Center Framework service over the network via HTTPS; internet-exposed or internally network-accessible instances are in scope.

  • AuthenticationNot required

    No credentials of any kind are needed; the vulnerable endpoint is reachable by any unauthenticated caller.

  • Victim interactionNot required

    The attack is fully server-side and requires no action from any user or administrator on the target system.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and imposes no race conditions, special memory layout requirements, or other environmental prerequisites.

Blast Radius

  • A successful attacker reads all data accessible to the Oracle Enterprise Command Center Framework process, including dashboards, business intelligence data, and any credentials or session tokens stored or cached by the application.
  • The attacker can write to or modify persisted application data, configuration, and any backend database rows reachable through the compromised process.
  • The attacker can crash or render the Oracle Enterprise Command Center Framework service unavailable, disrupting business operations that depend on it.
  • Full process-level takeover means the attacker can install backdoors, pivot to connected E-Business Suite components, or use the host as a foothold for lateral movement within the environment.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46902, the recommended immediate action is to apply compensating controls while awaiting the upstream patch. HarborGuard flags all images containing Oracle Enterprise Command Center Framework V15 or V16 and surfaces the finding with CRITICAL priority. Teams should consider isolating affected workloads behind strict network policy to limit inbound HTTPS access to only trusted source IPs, applying egress filtering to prevent the compromised service from being used as a pivot point, and disabling or gating any non-essential ECC Core endpoints via feature-flag or WAF rules if the application supports it. HarborGuard re-checks the Oracle advisory on every ingest cycle; the moment Oracle publishes a patched version, a rebuilt image becomes available and, for customers with auto-remediation enabled, HarborGuard will automatically trigger a rebuild, run regression tests, and open a pull request against affected workloads.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Enterprise Command Center Framework
    V15 · V16
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References