CVE-2026-46913: Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Installation Security)
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Installation Security). Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where JD Edwards EnterpriseOne Tools executes to compromise JD Edwards EnterpriseOne Tools. While the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools. CVSS 3.1 Base Score 9.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A critical local-privilege vulnerability exists in the Installation Security component of Oracle JD Edwards EnterpriseOne Tools, affecting versions 9.2.0.0 through 9.2.26.2. An unauthenticated attacker with a local session on the host where EnterpriseOne Tools runs can exploit this flaw without any credentials or user interaction. Successful exploitation gives the attacker full control over the JD Edwards EnterpriseOne Tools installation, with impact that extends beyond the product itself due to a CVSS scope change. No fix version has been published; HarborGuard tracks the upstream advisory for patch availability.
HarborGuard Coverage
Detection of CVE-2026-46913 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and build pipelines, including custom-built images derived from affected JD Edwards base layers.
AvailableTriage is available with CVSS v3.1 scoring applied at a base score of 9.3 (Critical), surfaced against each customer's compliance policy weighting to prioritize routing. Findings are directed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no upstream fix version has been published for CVE-2026-46913, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle publishes a remediated release. In the interim, compensating controls such as network-policy isolation, restricting local logon access to the host running EnterpriseOne Tools, and tightened egress filtering are surfaced as guidance within each customer's findings view.
Pending upstreamExploit Conditions
- Network reachabilityNot required
The attacker needs an existing shell or process on the host where JD Edwards EnterpriseOne Tools executes; no network path to the service is required.
- AuthenticationNot required
No credentials of any kind are needed; the CVSS vector specifies PR:N, meaning an unauthenticated local session is sufficient to attempt exploitation.
- Victim interactionNot required
The exploit completes without any action from another user or administrator on the system.
- Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no specific race condition, memory layout dependency, or other environmental prerequisite.
Blast Radius
- A successful attacker achieves full takeover of JD Edwards EnterpriseOne Tools, reading all data the process has access to, including configuration secrets, credentials stored by the installer, and application data.
- The attacker can modify or delete persisted application data, configuration files, and installation artifacts managed by the Tools component.
- The affected service and any dependent processes can be crashed or made unavailable, disrupting ERP operations reliant on EnterpriseOne Tools.
- Due to a CVSS scope change, the attacker can pivot and affect additional products or services running on the same infrastructure beyond the JD Edwards process itself.
How HarborGuard Handles This
Available on HarborGuard: because Oracle has not yet published a fix version for CVE-2026-46913, the immediate capability is continuous advisory monitoring. HarborGuard re-evaluates the upstream Oracle advisory on every ingest cycle and will automatically make a patched-image rebuild available as soon as a remediated version is released. For customers who opt into auto-remediation, that rebuild will trigger a regression-test run and a PR opened against affected workloads without manual intervention. While no patch exists, HarborGuard surfaces compensating-control guidance within the findings view for affected images: restricting local logon access to the host running EnterpriseOne Tools, applying network-policy isolation to limit lateral movement enabled by the scope change, and auditing which container workloads include JD Edwards EnterpriseOne Tools layers in the 9.2.0.0-9.2.26.2 range. Customers whose compliance policies flag Critical-severity unpatched findings for escalation will have this CVE routed accordingly based on their configured ownership rules.
- Oracle Corporation / JD Edwards EnterpriseOne Tools≤ 9.2.26.2
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H