CVE-2026-46908 affects Oracle JD Edwards EnterpriseOne Accounts Payable version 9.2 and is an easily exploitable vulnerability that allows a low privileged attacker with network access via HTTP to compromise the product. The vulnerability can result in complete takeover of the Accounts Payable component and may have scope change effects impacting other JD Edwards products. The CVSS 3.1 score is 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting critical impact on confidentiality, integrity, and availability. Oracle's June 2026 Critical Security Patch Update includes patches for this vulnerability. Oracle strongly recommends applying these patches without delay. Until patches are applied, risk reduction may be possible by blocking network protocols required for exploitation and limiting user privileges, though these measures may disrupt normal operations.

Successful exploitation of this vulnerability can lead to full compromise of the JD Edwards EnterpriseOne Accounts Payable component, impacting confidentiality, integrity, and availability. The vulnerability may also affect additional JD Edwards products due to scope change. This can result in unauthorized control over financial processes managed by the Accounts Payable system.

Oracle has released a Critical Security Patch Update in June 2026 that addresses this vulnerability. Customers should apply the June 2026 Critical Security Patch Update promptly to remediate this issue. Until patches are applied, risk can be partially mitigated by blocking network protocols required for exploitation and removing unnecessary privileges from users, although these actions may impact application functionality. Oracle strongly recommends staying on actively supported versions and applying security patches without delay.