This vulnerability in Oracle JD Edwards EnterpriseOne Accounts Payable (version 9.2) permits a low privileged attacker with network access via HTTP to perform unauthorized actions on critical data, including creation, deletion, or modification. The CVSS 3.1 base score is 8.1, reflecting high confidentiality and integrity impacts with no required user interaction. The vulnerability is publicly disclosed and included in Oracle's June 2026 Critical Security Patch Update. Oracle recommends applying the patch immediately to remediate the issue. No specific exploit in the wild is currently known.

Successful exploitation allows unauthorized access to critical data within JD Edwards EnterpriseOne Accounts Payable, including the ability to create, delete, or modify such data. This compromises data confidentiality and integrity, potentially affecting business operations reliant on accurate accounts payable information. Availability is not impacted according to the CVSS vector.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers running JD Edwards EnterpriseOne Accounts Payable version 9.2 should apply the June 2026 Critical Security Patch Update without delay. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges from users. Oracle strongly recommends staying on actively supported versions and promptly applying security patches as detailed in the vendor advisory at https://www.oracle.com/security-alerts/cspujun2026.html.