HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46909Published Modified CNA oracle

CVE-2026-46909: Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security)

Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Enterprise Infrastructure Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unspecified vulnerability in the Enterprise Infrastructure Security component of Oracle JD Edwards EnterpriseOne Tools (versions 9.2.0.0 through 9.2.26.2) allows a remote, unauthenticated attacker to compromise the system over HTTP. No authentication or user interaction is required, making this trivially exploitable from any network-accessible endpoint. Successful exploitation results in full takeover of the JD Edwards EnterpriseOne Tools environment, including complete loss of confidentiality, integrity, and availability. No fix version has been published by Oracle; HarborGuard is tracking the advisory and will surface a patched-image rebuild the moment upstream publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-46909 is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer images, including custom-built images that bundle JD Edwards EnterpriseOne Tools components.

Available
Triage

Triage is available with a CVSS 3.1 score of 9.8 (Critical), weighted against each customer organization's compliance policy to determine urgency tier and routed to the appropriate team inbox within that org.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, compensating-control recommendations, including network-policy isolation and HTTP ingress restrictions for affected workloads, are surfaced in the triage detail for each matched image.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the JD Edwards EnterpriseOne Tools HTTP endpoint over the network; any internet- or intranet-exposed instance is in scope.

  • AuthenticationNot required

    No account or credential of any privilege level is needed to launch the attack.

  • Victim interactionNot required

    The attacker acts entirely without involving any user; no click, visit, or other action from a victim is needed.

  • Attack complexityDetail

    The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental setup on the attacker's part.

Blast Radius

  • A successful attacker reads all data accessible to the JD Edwards EnterpriseOne Tools process, including configuration secrets, credentials, and business records.
  • The attacker can write or modify persisted application data, configuration, and any files the process has access to.
  • The attacker can crash or fully disable the JD Edwards EnterpriseOne Tools service, causing an outage for dependent business processes.
  • The combination of full confidentiality, integrity, and availability impact constitutes a complete takeover of the affected Tools environment.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-46909 is matched against all images in customer registries and CI pipelines on an ongoing basis, with triage cards scored at CVSS 9.8 Critical routed according to each organization's compliance policy. Because Oracle has not yet published a fix for versions 9.2.0.0 through 9.2.26.2, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically as soon as an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention. While no patch exists, HarborGuard surfaces compensating-control guidance in the triage detail: restricting HTTP ingress to the EnterpriseOne Tools endpoint via Kubernetes NetworkPolicy or equivalent, applying egress filtering to limit lateral movement from a compromised instance, and evaluating whether the component can be isolated behind a VPN or internal-only network segment until Oracle ships a fix.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / JD Edwards EnterpriseOne Tools
    ≤ 9.2.26.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References