CVE-2026-46907: Vulnerability in the JD Edwards EnterpriseOne Order Promising product of Oracle JD Edwards (component: Order Promising Integration)
Vulnerability in the JD Edwards EnterpriseOne Order Promising product of Oracle JD Edwards (component: Order Promising Integration). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Order Promising. While the vulnerability is in JD Edwards EnterpriseOne Order Promising, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Order Promising. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical-severity vulnerability affects the Order Promising Integration component of Oracle JD Edwards EnterpriseOne Order Promising version 9.2. The flaw is reachable over the network via HTTP and requires only a low-privileged account to exploit, with no victim interaction needed. Successful exploitation gives an attacker full control of the affected system, including complete read, write, and availability impact that can spill across to other products in the environment (a scope change in CVSS terms). HarborGuard is tracking this advisory for patch availability, as no fix version has been published yet.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer images, including custom-built images that bundle JD Edwards EnterpriseOne components. Any image running the affected version 9.2 is flagged automatically at the registry and pipeline layers.
AvailableHarborGuard surfaces this CVE with its CVSS 3.1 score of 9.9 (Critical), applies each customer organization's compliance policy weighting to determine urgency, and routes the finding to the appropriate team inbox within that organization. Because the CVSS scope is marked Changed, triage notes call out the lateral-impact risk to adjacent products in the same environment.
AvailableNo upstream fix version has been published for this CVE. HarborGuard re-evaluates the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released. For customers who have opted into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically when that upstream patch arrives.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the JD Edwards Order Promising Integration service over the network via HTTP; no local or physical access is needed.
- AuthenticationRequired
Any low-privileged account is sufficient; no administrative or elevated credentials are required to trigger the vulnerability.
- Victim interactionNot required
No user action is required; the attacker can exploit the vulnerability entirely on their own without involving any other user.
- Attack complexityDetail
Attack complexity is Low, meaning the exploit is reliable and imposes no special conditions such as race windows or specific memory layout requirements.
Blast Radius
- A successful attacker gains full read access to all data handled by JD Edwards EnterpriseOne Order Promising, including order records, customer data, and integration payloads.
- The attacker can modify or delete any data within the compromised component, corrupting order promising workflows and persisted business records.
- The attacker can crash or render the Order Promising Integration service unavailable, disrupting supply-chain and order fulfillment operations.
- Because CVSS scope is Changed, the attacker can pivot to compromise other products and services that share the same environment, multiplying the impact beyond the initial target.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked against all customer images running JD Edwards EnterpriseOne 9.2, with no manual configuration required. Because Oracle has not published a fix, HarborGuard monitors the advisory every ingest cycle and will surface a patched-image rebuild the moment upstream ships one. For customers who opt into auto-remediation, that rebuild will immediately trigger a regression test run and open a PR against affected workloads. In the interim, compensating controls worth evaluating include network-policy rules that restrict HTTP access to the Order Promising Integration endpoint to only known internal sources, egress filtering to limit lateral movement if the component is compromised, and feature-flag or integration-toggle gating to disable the Order Promising Integration endpoint in environments where it is not actively needed. Critical-severity findings at this CVSS score (9.9) are prioritized at the top of the HarborGuard triage queue and routed based on each organization's compliance policy weighting.
- Oracle Corporation / JD Edwards EnterpriseOne Order Promising9.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H