CVE-2026-46872: Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Manager Base Platform accessible data a
CVE-2026-46872 is a critical vulnerability in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1. It allows a high privileged attacker with network access via HTTPS to compromise the platform, potentially impacting additional Oracle products. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data, unauthorized read access to some data, and denial of service through hangs or crashes. The vulnerability has a CVSS 3.1 base score of 9.0, indicating high severity with impacts on confidentiality, integrity, and availability. Oracle has released a Critical Security Patch Update advisory recommending prompt patching and mitigation steps. No explicit patch version or fix details are provided in the advisory content, but Oracle strongly urges applying the June 2026 Critical Security Patch Update. Mitigations include blocking required network protocols and removing unnecessary privileges until patches are applied.
AI Analysis
Technical Summary
This vulnerability affects Oracle Enterprise Manager Base Platform versions 13.5 and 24.1. It is an easily exploitable network vulnerability requiring high privileges and no user interaction, allowing attackers to compromise the platform via HTTPS. The scope of impact extends beyond the base platform to additional Oracle products. Exploitation can result in unauthorized creation, deletion, or modification of critical data, unauthorized read access to some data, and denial of service conditions. The CVSS 3.1 vector is AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, scope change, low confidentiality impact, high integrity and availability impacts. Oracle's June 2026 Critical Security Patch Update advisory includes this vulnerability and recommends immediate patching. Until patches are applied, risk reduction may be achieved by blocking network protocols and limiting privileges.
Potential Impact
Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data or all data accessible via Oracle Enterprise Manager Base Platform. It also allows unauthorized read access to a subset of accessible data and can cause denial of service by hanging or crashing the platform. The vulnerability affects confidentiality, integrity, and availability, with a CVSS score of 9.0 indicating critical impact. The scope of the vulnerability extends to additional Oracle products beyond the base platform.
Mitigation Recommendations
Oracle strongly recommends applying the June 2026 Critical Security Patch Update as soon as possible to remediate this vulnerability. Until patches are applied, risk can be reduced by blocking network protocols required by the attack and removing unnecessary privileges or access to packages from users who do not need them. These mitigations may impact application functionality. Patch status is not explicitly confirmed in the advisory; customers should consult the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for the latest patch availability and installation instructions.
CVE-2026-46872: Easily exploitable vulnerability allows high privileged attacker with network access via HTTPS to compromise Oracle Enterprise Manager Base Platform. While the vulnerability is in Oracle Enterprise Manager Base Platform, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Enterprise Manager Base Platform accessible data a
Description
CVE-2026-46872 is a critical vulnerability in Oracle Enterprise Manager Base Platform versions 13.5 and 24.1. It allows a high privileged attacker with network access via HTTPS to compromise the platform, potentially impacting additional Oracle products. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data, unauthorized read access to some data, and denial of service through hangs or crashes. The vulnerability has a CVSS 3.1 base score of 9.0, indicating high severity with impacts on confidentiality, integrity, and availability. Oracle has released a Critical Security Patch Update advisory recommending prompt patching and mitigation steps. No explicit patch version or fix details are provided in the advisory content, but Oracle strongly urges applying the June 2026 Critical Security Patch Update. Mitigations include blocking required network protocols and removing unnecessary privileges until patches are applied.
CVSS v3.1
Score 9.0critical
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Oracle Enterprise Manager Base Platform versions 13.5 and 24.1. It is an easily exploitable network vulnerability requiring high privileges and no user interaction, allowing attackers to compromise the platform via HTTPS. The scope of impact extends beyond the base platform to additional Oracle products. Exploitation can result in unauthorized creation, deletion, or modification of critical data, unauthorized read access to some data, and denial of service conditions. The CVSS 3.1 vector is AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:H, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, scope change, low confidentiality impact, high integrity and availability impacts. Oracle's June 2026 Critical Security Patch Update advisory includes this vulnerability and recommends immediate patching. Until patches are applied, risk reduction may be achieved by blocking network protocols and limiting privileges.
Potential Impact
Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data or all data accessible via Oracle Enterprise Manager Base Platform. It also allows unauthorized read access to a subset of accessible data and can cause denial of service by hanging or crashing the platform. The vulnerability affects confidentiality, integrity, and availability, with a CVSS score of 9.0 indicating critical impact. The scope of the vulnerability extends to additional Oracle products beyond the base platform.
Mitigation Recommendations
Oracle strongly recommends applying the June 2026 Critical Security Patch Update as soon as possible to remediate this vulnerability. Until patches are applied, risk can be reduced by blocking network protocols required by the attack and removing unnecessary privileges or access to packages from users who do not need them. These mitigations may impact application functionality. Patch status is not explicitly confirmed in the advisory; customers should consult the Oracle advisory at https://www.oracle.com/security-alerts/cspujun2026.html for the latest patch availability and installation instructions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.308Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b61e0b89be6888265ba8
Added to database: 6/16/2026, 8:46:22 PM
Last enriched: 6/16/2026, 9:47:37 PM
Last updated: 6/17/2026, 5:04:06 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.