CVE-2026-46892: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Human Resources Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Human Resources Management accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Human Resources Man
CVE-2026-46892 is a critical vulnerability in Oracle JD Edwards EnterpriseOne Human Resources Management version 9.2. It allows an unauthenticated attacker with network access via HTTP to compromise the system. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data, as well as unauthorized access to all accessible data within the product. The vulnerability has a CVSS 3.1 base score of 9.1, indicating high confidentiality and integrity impact without affecting availability. Oracle has included this vulnerability in its June 2026 Critical Security Patch Update, which addresses this and many other vulnerabilities across multiple products. Oracle strongly recommends applying the security patches promptly to mitigate the risk. Until patches are applied, risk reduction may be possible by blocking required network protocols or restricting privileges, though these may impact functionality.
AI Analysis
Technical Summary
This vulnerability affects Oracle JD Edwards EnterpriseOne Human Resources Management version 9.2. It is an easily exploitable remote vulnerability that requires no authentication and can be triggered over HTTP. Exploitation results in high impact on confidentiality and integrity, allowing attackers to create, delete, or modify critical data or gain complete unauthorized access to all data accessible by the product. The vulnerability is addressed in Oracle's June 2026 Critical Security Patch Update. Oracle advises customers to apply the patches immediately and provides guidance on potential temporary mitigations such as network protocol blocking and privilege restrictions, acknowledging possible functional impacts.
Potential Impact
An unauthenticated attacker with network access via HTTP can exploit this vulnerability to gain unauthorized creation, deletion, or modification access to critical data or all accessible data in JD Edwards EnterpriseOne Human Resources Management. This results in a high confidentiality and integrity impact. There is no impact on availability reported. The vulnerability is rated critical with a CVSS 3.1 base score of 9.1.
Mitigation Recommendations
Oracle has released a Critical Security Patch Update in June 2026 that includes patches addressing this vulnerability. Customers are strongly advised to apply these security patches without delay. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation or by removing unnecessary privileges from users, though these measures may disrupt application functionality. Oracle’s advisory should be consulted for detailed patch availability and installation instructions: https://www.oracle.com/security-alerts/cspujun2026.html
CVE-2026-46892: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Human Resources Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all JD Edwards EnterpriseOne Human Resources Management accessible data as well as unauthorized access to critical data or complete access to all JD Edwards EnterpriseOne Human Resources Man
Description
CVE-2026-46892 is a critical vulnerability in Oracle JD Edwards EnterpriseOne Human Resources Management version 9.2. It allows an unauthenticated attacker with network access via HTTP to compromise the system. Successful exploitation can lead to unauthorized creation, deletion, or modification of critical data, as well as unauthorized access to all accessible data within the product. The vulnerability has a CVSS 3.1 base score of 9.1, indicating high confidentiality and integrity impact without affecting availability. Oracle has included this vulnerability in its June 2026 Critical Security Patch Update, which addresses this and many other vulnerabilities across multiple products. Oracle strongly recommends applying the security patches promptly to mitigate the risk. Until patches are applied, risk reduction may be possible by blocking required network protocols or restricting privileges, though these may impact functionality.
CVSS v3.1
Score 9.1critical
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability affects Oracle JD Edwards EnterpriseOne Human Resources Management version 9.2. It is an easily exploitable remote vulnerability that requires no authentication and can be triggered over HTTP. Exploitation results in high impact on confidentiality and integrity, allowing attackers to create, delete, or modify critical data or gain complete unauthorized access to all data accessible by the product. The vulnerability is addressed in Oracle's June 2026 Critical Security Patch Update. Oracle advises customers to apply the patches immediately and provides guidance on potential temporary mitigations such as network protocol blocking and privilege restrictions, acknowledging possible functional impacts.
Potential Impact
An unauthenticated attacker with network access via HTTP can exploit this vulnerability to gain unauthorized creation, deletion, or modification access to critical data or all accessible data in JD Edwards EnterpriseOne Human Resources Management. This results in a high confidentiality and integrity impact. There is no impact on availability reported. The vulnerability is rated critical with a CVSS 3.1 base score of 9.1.
Mitigation Recommendations
Oracle has released a Critical Security Patch Update in June 2026 that includes patches addressing this vulnerability. Customers are strongly advised to apply these security patches without delay. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation or by removing unnecessary privileges from users, though these measures may disrupt application functionality. Oracle’s advisory should be consulted for detailed patch availability and installation instructions: https://www.oracle.com/security-alerts/cspujun2026.html
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.310Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspujun2026.html","vendor":"Oracle"}]
Threat ID: 6a31b6230b89be6888265d27
Added to database: 6/16/2026, 8:46:27 PM
Last enriched: 6/16/2026, 9:45:33 PM
Last updated: 6/17/2026, 5:09:43 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.