PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46858 Oracle Corporation CVE debrief

A critical vulnerability was discovered in Oracle APM - Application Performance Management, affecting versions 13.5 and 24.1. This vulnerability, tracked as CVE-2026-46858, allows unauthenticated attackers with network access via HTTP to compromise the application, potentially leading to unauthorized data modifications and service disruptions. The vulnerability has a CVSS 3.1 Base Score of 9.1, indicating a critical severity level. System administrators and security professionals responsible for Oracle APM - Application Performance Management installations should be aware of this vulnerability and take immediate action to mitigate potential risks. The vulnerability can be exploited over the network without authentication, allowing attackers to create, delete, or modify critical data and cause service disruptions.

Vendor
Oracle Corporation
Product
APM - Application Performance Management
CVSS
CRITICAL 9.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-17
Original CVE updated
2026-06-18
Advisory published
2026-06-17
Advisory updated
2026-06-18

Who should care

System administrators and security professionals responsible for Oracle APM - Application Performance Management installations should be aware of this vulnerability and take immediate action to mitigate potential risks.

Technical summary

The vulnerability, tracked as CVE-2026-46858, is located in the JADM, JVM Diagnostics component of Oracle APM - Application Performance Management. It has a CVSS 3.1 Base Score of 9.1, indicating a critical severity level. The vulnerability can be exploited over the network without authentication, allowing attackers to create, delete, or modify critical data and cause service disruptions. The vulnerability affects versions 13.5 and 24.1 of Oracle APM - Application Performance Management. Oracle Corporation has provided a vendor advisory for this vulnerability. The CVE record was published on 2026-06-17T10:54:03.437Z and last modified on 2026-06-18T22:40:18.040Z.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it can be exploited remotely without authentication and has a high impact on data integrity and service availability. System administrators should verify the presence of affected product deployments in their environments and prioritize patching or mitigation efforts accordingly. Compensating controls, such as restricting network access or monitoring for suspicious activity, may be necessary for exposed systems while remediation is scheduled and verified. Additionally, defenders should review relevant monitoring, detection, and logs for exposed assets that need extra review and track exceptions, retest remediated assets, and close the item only after evidence is documented. The priority of defensive actions should be guided by the CVSS 3.1 Base Score of 9.1, indicating a critical severity level. Defenders should also consider the potential operational impact of the vulnerability and prioritize actions based on the likelihood of exploitation and potential damage. The defensive priority is further emphasized by the fact that the vulnerability allows unauthenticated attackers with network access via HTTP to compromise the application, potentially leading to unauthorized data modifications and service disruptions. Therefore, defenders should focus on applying the latest security patches provided by Oracle Corporation, restricting network access to the affected application, and monitoring for suspicious activity and implementing compensating controls if patching is not immediately feasible. The defensive priority should also take into account the fact that the vulnerability has a high impact on data integrity and service availability, and that the CVSS Vector is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H). The high defensive priority is also due to the fact that the vulnerability can be exploited over the network without authentication, allowing attackers to create, delete, or modify critical data and cause service disruptions. Defenders should prioritize actions based on the CVSS 3.1 Base Score and the potential operational impact of the vulnerability, and focus on applying patches, and

Recommended defensive actions

  • Apply the latest security patches provided by Oracle Corporation
  • Restrict network access to the affected application
  • Monitor for suspicious activity and implement compensating controls if patching is not immediately feasible
  • Review relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance

Evidence notes

The CVE record was published on 2026-06-17T10:54:03.437Z and last modified on 2026-06-18T22:40:18.040Z. The NVD entry is currently Analyzed. Oracle Corporation has provided a vendor advisory for this vulnerability. The vulnerability affects versions 13.5 and 24.1 of Oracle APM - Application Performance Management. The CVE record was sourced from NVD, which provides detailed information about the vulnerability. However, the record does not specify the exact number of affected deployments or the extent of potential damage.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-17T10:54:03.437Z and has not been modified since then. The NVD entry is currently Analyzed.