This vulnerability affects Oracle Enterprise Command Center Framework versions 15 and 16 and allows a low privileged attacker with network access via HTTP to compromise the framework. The scope of impact extends beyond the framework to additional Oracle products. Exploitation can result in unauthorized creation, deletion, or modification of critical data accessible via the framework. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) reflects network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and high confidentiality and integrity impacts. Oracle has published a Critical Security Patch Update in June 2026 that includes fixes for this vulnerability. The vendor strongly urges customers to apply these patches without delay to mitigate risk.

Successful exploitation allows unauthorized creation, deletion, or modification of critical data within Oracle Enterprise Command Center Framework and potentially affects additional Oracle products. Confidentiality and integrity of data are highly impacted, while availability is not affected. The vulnerability can be exploited remotely over the network by an attacker with low privileges and no user interaction is required. This can lead to significant data compromise and unauthorized access within affected environments.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers are strongly advised to apply the provided security patches promptly to remediate the issue. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation and by removing unnecessary privileges or access to relevant packages from users who do not need them. However, these mitigations may impact application functionality. Oracle recommends remaining on actively-supported versions and applying security patches without delay.