PatchSiren cyber security CVE debrief
CVE-2026-46858 Oracle Corporation CVE debrief
A critical vulnerability was discovered in Oracle APM - Application Performance Management, affecting versions 13.5 and 24.1. This vulnerability, tracked as CVE-2026-46858, allows unauthenticated attackers with network access via HTTP to compromise the application, potentially leading to unauthorized data modifications and service disruptions. The vulnerability has a CVSS 3.1 Base Score of 9.1, indicating a critical severity level. System administrators and security professionals responsible for Oracle APM - Application Performance Management installations should be aware of this vulnerability and take immediate action to mitigate potential risks. The vulnerability can be exploited over the network without authentication, allowing attackers to create, delete, or modify critical data and cause service disruptions.
- Vendor
- Oracle Corporation
- Product
- APM - Application Performance Management
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-17
- Original CVE updated
- 2026-06-18
- Advisory published
- 2026-06-17
- Advisory updated
- 2026-06-18
Who should care
System administrators and security professionals responsible for Oracle APM - Application Performance Management installations should be aware of this vulnerability and take immediate action to mitigate potential risks.
Technical summary
The vulnerability, tracked as CVE-2026-46858, is located in the JADM, JVM Diagnostics component of Oracle APM - Application Performance Management. It has a CVSS 3.1 Base Score of 9.1, indicating a critical severity level. The vulnerability can be exploited over the network without authentication, allowing attackers to create, delete, or modify critical data and cause service disruptions. The vulnerability affects versions 13.5 and 24.1 of Oracle APM - Application Performance Management. Oracle Corporation has provided a vendor advisory for this vulnerability. The CVE record was published on 2026-06-17T10:54:03.437Z and last modified on 2026-06-18T22:40:18.040Z.
Defensive priority
High priority should be given to patching or mitigating this vulnerability, as it can be exploited remotely without authentication and has a high impact on data integrity and service availability. System administrators should verify the presence of affected product deployments in their environments and prioritize patching or mitigation efforts accordingly. Compensating controls, such as restricting network access or monitoring for suspicious activity, may be necessary for exposed systems while remediation is scheduled and verified. Additionally, defenders should review relevant monitoring, detection, and logs for exposed assets that need extra review and track exceptions, retest remediated assets, and close the item only after evidence is documented. The priority of defensive actions should be guided by the CVSS 3.1 Base Score of 9.1, indicating a critical severity level. Defenders should also consider the potential operational impact of the vulnerability and prioritize actions based on the likelihood of exploitation and potential damage. The defensive priority is further emphasized by the fact that the vulnerability allows unauthenticated attackers with network access via HTTP to compromise the application, potentially leading to unauthorized data modifications and service disruptions. Therefore, defenders should focus on applying the latest security patches provided by Oracle Corporation, restricting network access to the affected application, and monitoring for suspicious activity and implementing compensating controls if patching is not immediately feasible. The defensive priority should also take into account the fact that the vulnerability has a high impact on data integrity and service availability, and that the CVSS Vector is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). The high defensive priority is also due to the fact that the vulnerability can be exploited over the network without authentication, allowing attackers to create, delete, or modify critical data and cause service disruptions. Defenders should prioritize actions based on the CVSS 3.1 Base Score and the potential operational impact of the vulnerability, and focus on applying patches, and
Recommended defensive actions
- Apply the latest security patches provided by Oracle Corporation
- Restrict network access to the affected application
- Monitor for suspicious activity and implement compensating controls if patching is not immediately feasible
- Review relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
Evidence notes
The CVE record was published on 2026-06-17T10:54:03.437Z and last modified on 2026-06-18T22:40:18.040Z. The NVD entry is currently Analyzed. Oracle Corporation has provided a vendor advisory for this vulnerability. The vulnerability affects versions 13.5 and 24.1 of Oracle APM - Application Performance Management. The CVE record was sourced from NVD, which provides detailed information about the vulnerability. However, the record does not specify the exact number of affected deployments or the extent of potential damage.
Official resources
-
CVE-2026-46858 CVE record
CVE.org
-
CVE-2026-46858 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T10:54:03.437Z and has not been modified since then. The NVD entry is currently Analyzed.