CVE-2026-46857 affects Oracle Enterprise Manager Base Platform component Oracle Management Service in versions 13.5 and 24.1. It is an easily exploitable vulnerability that allows unauthenticated remote attackers with network access over HTTP to compromise the platform fully, leading to complete takeover. The vulnerability is rated critical with a CVSS 3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Oracle's June 2026 Critical Security Patch Update advisory includes this vulnerability among 245 security fixes across multiple products. Oracle strongly recommends applying the June 2026 CSPU without delay to mitigate this and other vulnerabilities. The advisory also suggests temporary risk reduction by blocking attack-related network protocols or removing unnecessary privileges, though these measures may disrupt application functionality.

Successful exploitation of this vulnerability results in complete compromise of Oracle Enterprise Manager Base Platform, impacting confidentiality, integrity, and availability. An unauthenticated attacker with network access via HTTP can take over the platform, potentially leading to full control over the affected system.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update immediately to remediate this vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges from users. However, these mitigations may affect application functionality. Patch status is not explicitly confirmed in the advisory excerpt; therefore, check the Oracle June 2026 Critical Security Patch Update advisory for the latest patch availability and installation instructions.