This vulnerability exists in the Metadata Plugin component of Oracle Enterprise Manager Base Platform versions 13.5 and 24.1. It is easily exploitable over the network via HTTPS by an attacker with low privileges and no user interaction required. Successful exploitation can result in complete compromise of the Oracle Enterprise Manager Base Platform, affecting confidentiality, integrity, and availability. The vulnerability also has a scope change, meaning it may impact additional Oracle products beyond the base platform. Oracle has published a Critical Security Patch Update in June 2026 that includes patches for this vulnerability among 245 others. The vendor strongly recommends applying these patches immediately. Workarounds include blocking network protocols used by the attack and removing unnecessary privileges from users, though these may disrupt normal operations.

The vulnerability allows an attacker with low privileges and network access via HTTPS to fully compromise the Oracle Enterprise Manager Base Platform. This results in complete loss of confidentiality, integrity, and availability of the affected system. Due to scope change, additional Oracle products integrated with or dependent on the platform may also be impacted. The CVSS 3.1 base score is 9.9, indicating critical severity. No known exploits in the wild have been reported at the time of publication.

Oracle has released a Critical Security Patch Update in June 2026 that includes patches addressing CVE-2026-46855. Customers should apply these patches as soon as possible to remediate the vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges from users, though these measures may affect application functionality. Oracle strongly recommends staying on actively supported versions and applying security patches without delay. Patch status is confirmed by the vendor advisory.