CVE-2026-46904: Oracle JD Edwards Auth Bypass Flaw

CVE-2026-46904 Overview

CVE-2026-46904 is a critical vulnerability in Oracle JD Edwards EnterpriseOne Tools affecting the Enterprise Infrastructure Security component. Supported versions 9.2.0.0 through 9.2.26.2 are affected. An unauthenticated attacker with network access via JDENET can compromise the product without any user interaction. Successful exploitation results in full takeover of JD Edwards EnterpriseOne Tools, impacting confidentiality, integrity, and availability. The flaw is categorized under [CWE-284] Improper Access Control. Oracle published a fix in its Critical Patch Update Security Alert.

Critical Impact
Unauthenticated remote attackers can fully compromise JD Edwards EnterpriseOne Tools deployments over the network via the JDENET protocol.

Affected Products

Oracle JD Edwards EnterpriseOne Tools 9.2.0.0 through 9.2.26.2
Component: Enterprise Infrastructure Security
Protocol exposed: JDENET

Discovery Timeline

2026-06-17 - CVE-2026-46904 published to NVD
2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-46904

Vulnerability Analysis

The vulnerability resides in the Enterprise Infrastructure Security component of JD Edwards EnterpriseOne Tools. Oracle classifies it as easily exploitable over the network, requiring no authentication and no user interaction. The attack surface is the JDENET protocol, which handles inter-process communication between EnterpriseOne services such as the Enterprise Server, Server Manager, and JAS web runtime. Successful exploitation grants attackers full control of the EnterpriseOne Tools layer, which mediates business logic, security kernels, and database access across ERP modules. The scope is unchanged, but confidentiality, integrity, and availability are all fully impacted on the target system.

Root Cause

The root cause is improper access control [CWE-284] within JDENET request handling. Oracle has not released technical specifics, but the classification indicates that protected functionality is reachable without enforced authentication or authorization checks. This allows an attacker to invoke privileged operations on the EnterpriseOne Tools service directly.

Attack Vector

Exploitation requires only network reachability to the JDENET listener, typically TCP ports in the 6010-6017 range on Enterprise Servers. An attacker crafts JDENET messages that exercise the unprotected code path and obtains control of the service process. Because JDENET is commonly used between trusted EnterpriseOne tiers, internet-exposed or flat-network deployments significantly increase risk.

No public proof-of-concept code is available at the time of writing. Refer to the Oracle Security Alert for vendor-supplied technical details.

Detection Methods for CVE-2026-46904

Indicators of Compromise

Unexpected inbound connections to JDENET listener ports (commonly 6010-6017) from non-EnterpriseOne hosts.
New or unknown processes spawned by jdenet_n or related EnterpriseOne service binaries.
Anomalous administrative actions, package deployments, or kernel restarts inside JD Edwards audit logs.
Outbound connections from Enterprise Server hosts to untrusted external addresses.

Detection Strategies

Inventory all EnterpriseOne Tools instances and confirm exact build versions against the affected 9.2.0.0-9.2.26.2 range.
Correlate JDENET traffic with the list of authorized EnterpriseOne tiers and alert on deviations.
Hunt for child processes, shell invocations, or scripting engine activity from EnterpriseOne service accounts.
Review Server Manager and security kernel logs for authentication anomalies and configuration changes.

Monitoring Recommendations

Forward EnterpriseOne, OS, and network flow logs into a centralized analytics platform for cross-source correlation.
Add alerts for first-time external IPs initiating JDENET sessions to Enterprise Servers.
Monitor file integrity on EnterpriseOne binaries, specs, and INI configuration files.
Track process lineage on Enterprise Server hosts to identify post-exploitation behavior.

How to Mitigate CVE-2026-46904

Immediate Actions Required

Apply the Oracle Critical Patch Update referenced in the June 2026 Security Alert to all affected EnterpriseOne Tools instances.
Restrict JDENET ports at the network layer so they are reachable only from trusted EnterpriseOne tiers.
Remove any internet exposure of Enterprise Servers, HTML Servers, or Server Manager consoles.
Rotate service account credentials and review recent administrative changes inside JD Edwards.

Patch Information

Oracle addressed CVE-2026-46904 in the June 2026 Critical Patch Update Security Alert. Upgrade JD Edwards EnterpriseOne Tools to the fixed release identified in the Oracle advisory. All versions 9.2.0.0 through 9.2.26.2 must be remediated.

Workarounds

Place EnterpriseOne Tools servers behind a segmented VLAN and enforce allow-lists for JDENET communication.
Terminate client connections through a reverse proxy or jump host with strong authentication where feasible.
Disable unused JDENET kernels and services on each Enterprise Server to reduce attack surface.
Increase logging verbosity on the security kernel until the patch can be deployed.

bash

# Example: restrict JDENET ports to trusted EnterpriseOne subnets only
iptables -A INPUT -p tcp --dport 6010:6017 -s 10.20.30.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 6010:6017 -j DROP