HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46919Published Modified CNA oracle

CVE-2026-46919: Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager)

Vulnerability in the Siebel CRM Cloud Applications product of Oracle Siebel CRM (component: Siebel Cloud Manager). Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel CRM Cloud Applications. Successful attacks of this vulnerability can result in takeover of Siebel CRM Cloud Applications. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass (or equivalent unauthenticated remote attack) vulnerability exists in the Siebel Cloud Manager component of Oracle Siebel CRM Cloud Applications, affecting versions 17.0 through 26.5. The vulnerability is reachable over the network via HTTP and requires no authentication and no user interaction. Successful exploitation results in full takeover of the Siebel CRM Cloud Applications instance, giving an attacker control over confidentiality, integrity, and availability. No fix version has been published by Oracle; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-46919 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream Oracle and NVD feeds, including custom-built images that bundle Siebel CRM Cloud Applications components. Any image in a connected registry or CI/CD pipeline is eligible for matching as soon as the CVE record is published.

Available
Triage

HarborGuard is capable of surfacing this CVE with its CVSS 3.1 score of 9.8 (Critical) and applying each customer organization's compliance policy weighting to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer org based on configured policy, ownership rules, and severity thresholds.

Available
Patch

Because Oracle has not yet published a fix version for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, customers can use HarborGuard's advisory tracking view to monitor status and apply compensating controls at the environment level.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Siebel Cloud Manager HTTP service over the network; no local or physical access is required.

  • AuthenticationNot required

    No credentials are needed; the vulnerability is exploitable by a completely unauthenticated attacker.

  • Victim interactionNot required

    No user action or social engineering is required; the attacker acts entirely on their own.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

  • A successful attacker reads all data accessible to the Siebel CRM Cloud Applications instance, including CRM records, customer data, and stored credentials.
  • A successful attacker writes or modifies persisted CRM data, configurations, and application state within the compromised instance.
  • A successful attacker can crash or render the Siebel CRM Cloud Applications service unavailable, disrupting business operations that depend on it.
  • Full application takeover gives the attacker a foothold to pivot to adjacent services or infrastructure reachable from the Siebel Cloud Manager host.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published by Oracle, the platform continuously re-checks the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment Oracle ships a corrected package. Until a fix is available, HarborGuard surfaces this CVE as Critical in every affected environment and supports the following compensating controls: apply network-policy rules to restrict inbound HTTP access to Siebel Cloud Manager to known trusted source ranges only; use egress filtering to limit outbound connections from the Siebel host; and, where operationally feasible, disable or isolate the Siebel Cloud Manager component until Oracle issues a patch. Customers whose compliance policy flags unpatched Critical CVEs for mandatory escalation will receive routed alerts through their configured team channels without any additional setup.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Siebel CRM Cloud Applications
    ≤ 26.5
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References