HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46908Published Modified CNA oracle

CVE-2026-46908: Vulnerability in the JD Edwards EnterpriseOne Accounts Payable product of Oracle JD Edwards (component: Accounts Payable)

Vulnerability in the JD Edwards EnterpriseOne Accounts Payable product of Oracle JD Edwards (component: Accounts Payable). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Accounts Payable. While the vulnerability is in JD Edwards EnterpriseOne Accounts Payable, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Accounts Payable. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical vulnerability in the Accounts Payable component of Oracle JD Edwards EnterpriseOne version 9.2 allows a low-privileged attacker to reach the system over HTTP and fully compromise the affected product. No authentication beyond a basic user account is needed, and exploitation is straightforward, with successful attacks resulting in complete takeover of the Accounts Payable system and potential cascading impact on additional connected products. No fix version has been published yet; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection for CVE-2026-46908 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication using ingestion from upstream Oracle and NVD advisory feeds, covering both vendor-supplied and custom-built container images. Any image in a customer registry or CI/CD pipeline that packages JD Edwards EnterpriseOne Accounts Payable 9.2 is eligible for flagging.

Available
Triage

HarborGuard is capable of scoring this CVE at its full CVSS 3.1 Base Score of 9.9 (Critical) and weighting the finding against each environment's compliance policy to determine urgency. Routed alerts reach the appropriate team inbox inside each customer organization based on policy-defined ownership rules.

Available
Patch

No fix version has been published by Oracle for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will follow without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the JD Edwards EnterpriseOne Accounts Payable service over the network via HTTP; the CVSS vector specifies AV:N.

  • AuthenticationRequired

    A low-privilege account is sufficient; the attacker does not need administrative credentials, only any valid user account on the system (PR:L).

  • Victim interactionNot required

    No victim action such as clicking a link or opening a file is needed; the attacker can exploit this unilaterally (UI:N).

  • Attack complexityDetail

    Exploitation is reliable and condition-free with no race conditions or special environmental dependencies required (AC:L).

Blast Radius

  • A successful attacker reads all data within the Accounts Payable component, including payment records, vendor details, and any stored credentials or session material.
  • The attacker modifies or deletes Accounts Payable records, enabling fraudulent payment entries or destruction of financial audit trails.
  • The attacker crashes or degrades the Accounts Payable service, disrupting payment processing operations.
  • Because the CVSS scope is changed (S:C), the attacker gains a foothold capable of impacting other products and services integrated with or hosted alongside JD Edwards EnterpriseOne.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical, no-fix-yet advisory is active across customer environments, matching images that include JD Edwards EnterpriseOne Accounts Payable 9.2 on every ingest cycle. Because Oracle has not yet published a fix version, there is no patched rebuild to offer at this time. HarborGuard monitors the Oracle advisory and NVD record continuously and will trigger the rebuild-and-PR flow for customers with auto-remediation enabled the moment a fix is released. In the interim, compensating controls worth considering include network policy rules that restrict HTTP access to the Accounts Payable service to explicitly authorized source addresses, egress filtering to limit lateral movement from a compromised instance, and review of which accounts hold even low-privilege access to the component given that PR:L is the only authentication barrier. Customers should treat this as a high-priority finding given the CVSS score of 9.9 and the scope-change designation, which indicates successful exploitation can reach beyond the Accounts Payable boundary into adjacent systems.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / JD Edwards EnterpriseOne Accounts Payable
    9.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References