HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46911Published Modified CNA oracle

CVE-2026-46911: Vulnerability in the JD Edwards EnterpriseOne Project Costing product of Oracle JD Edwards (component: Job Costing)

Vulnerability in the JD Edwards EnterpriseOne Project Costing product of Oracle JD Edwards (component: Job Costing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via JDENET to compromise JD Edwards EnterpriseOne Project Costing. While the vulnerability is in JD Edwards EnterpriseOne Project Costing, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Project Costing accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Project Costing accessible data. CVSS 3.1 Base Score 9.6 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An access-control vulnerability in the Job Costing component of Oracle JD Edwards EnterpriseOne Project Costing (version 9.2) allows a low-privileged attacker to reach the service over the network via the JDENET protocol without any additional prerequisites. Successful exploitation grants the attacker full read access to all data accessible by the Project Costing module and the ability to create, modify, or delete critical records. The vulnerability carries a scope-change rating, meaning the impact can extend beyond the Project Costing component to other JD Edwards EnterpriseOne products. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46911 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle JD Edwards EnterpriseOne components. Any image at the affected version (9.2) is flagged automatically on the next scan cycle.

Available
Triage

HarborGuard surfaces this CVE with its CVSS 3.1 base score of 9.6 (Critical), weighting it further against each environment's active compliance policy to reflect actual organizational exposure. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules, so the right engineers see the alert without manual triage.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered without requiring manual intervention once a fix version appears.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the JD Edwards EnterpriseOne JDENET service over the network; no local or physical access is needed.

  • AuthenticationRequired

    Any low-privilege account on the JD Edwards system is sufficient; no administrative credentials are required.

  • Victim interactionNot required

    No user action is required; the attacker interacts directly with the service.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental configuration.

Blast Radius

  • Reads all data accessible to the Project Costing module, including job cost records, project budgets, and associated financial data.
  • Creates, modifies, or deletes critical records within JD Edwards EnterpriseOne Project Costing, corrupting project and financial state.
  • Due to a scope change in the CVSS rating, a successful attacker can pivot and impact other JD Edwards EnterpriseOne products beyond the Project Costing component.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged at Critical (9.6) and monitored continuously because Oracle has not yet published a remediated version of JD Edwards EnterpriseOne 9.2. On every ingest cycle, HarborGuard re-checks the Oracle advisory feed; when a fix version is released, a patched-image rebuild becomes available immediately. For customers with auto-remediation enabled, the workflow proceeds from rebuild through regression testing to a PR opened against affected workloads without manual steps. In the meantime, compensating controls worth considering include isolating containers running JD Edwards EnterpriseOne components behind network policy rules that restrict inbound JDENET traffic to known trusted sources, applying egress filtering to limit lateral movement in the event of compromise, and reviewing account privilege grants to reduce the number of low-privilege accounts that have access to the Job Costing component.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / JD Edwards EnterpriseOne Project Costing
    9.2
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
References