This vulnerability affects Oracle JD Edwards EnterpriseOne Project Costing version 9.2. It is easily exploitable by an attacker with low privileges who has network access via JDENET. Exploitation can result in unauthorized creation, deletion, or modification of critical data within the Project Costing product and may affect other JD Edwards EnterpriseOne products due to scope change. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) reflects network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and high confidentiality and integrity impact. Oracle has published a Critical Security Patch Update in June 2026 that includes a patch for this vulnerability.

Exploitation of this vulnerability can lead to unauthorized creation, deletion, or modification of critical data in JD Edwards EnterpriseOne Project Costing, potentially compromising data integrity and confidentiality. The scope change indicates that other JD Edwards products may also be impacted. There is no impact on availability. The CVSS score of 9.6 reflects a critical severity level.

Oracle strongly recommends applying the June 2026 Critical Security Patch Update, which includes patches for this vulnerability. Until patches are applied, risk may be reduced by blocking network protocols required by the attack and by removing unnecessary privileges or access to relevant packages from users who do not require them. These mitigations may affect application functionality. Customers should remain on actively supported versions and apply security patches without delay. Patch status is confirmed by the vendor advisory at https://www.oracle.com/security-alerts/cspujun2026.html.