External risk intelligence

Oracle Enterprise Manager Base Platform Metadata Plugin Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-46855

A critical vulnerability exists in Oracle Enterprise Manager Base Platform that allows a low-privileged attacker with network access to compromise the system. Successful exploitation could lead to a complete takeover of the platform and potentially impact other connected products, affecting confidentiality, integrity,

3Halo Surface Signal

Oracle Enterprise Manager Base Platform

13.5.0.024.1.0.0.0

External exposure likelihood

Halo Surface Signal score for CVE-2026-46855

Oracle Enterprise Manager is a management platform typically deployed within internal corporate networks to manage infrastructure. While it requires network access and may be reachable in some deployments, it is not primarily designed as a public-facing internet service or edge gateway.

PCI scan relevance

PCI Relevance for CVE-2026-46855

Yes

CVE-2026-46855 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Oracle Enterprise Manager Base Platform allows an attacker to take over the system, which could impact PCI compliance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle Enterprise Manager Base Platform, an Oracle product used for managing enterprise infrastructure. This issue, which is easily exploitable by a low-privileged attacker with network access, could allow for a complete takeover of the platform and potentially impact other connected products. The severity of this vulnerability is high, affecting both the confidentiality and integrity of data, as well as the availability of the system.

An Oracle management platform has a critical weakness.
It could allow unauthorized control of systems.
Confirm relevance and exposure of this platform.

Attack Path

How an attacker could exploit the issue

An attacker with network access and low privileges can exploit a vulnerability in Oracle Enterprise Manager Base Platform's Metadata Plugin. This allows them to compromise the platform, potentially leading to a full takeover and impacting other connected products.

Network access and low privileges required.
Vulnerability in the Metadata Plugin component.
Results in platform takeover and scope change.

Live Threat

Current exploitation, exposure, and threat context

A low-privileged attacker with network access could potentially achieve full control over the Oracle Enterprise Manager Base Platform. This vulnerability, when exploited, could allow an attacker to compromise the platform and potentially impact other connected products.

Oracle Enterprise Manager Base Platform.
Network access via HTTPS.
Complete system takeover.

Operational Fix

Recommended remediation, mitigation, and detection steps

Oracle Enterprise Manager is likely managed by infrastructure or platform teams, with security teams overseeing network exposure. The first step is to locate all instances of the affected product, verify their business criticality and network reachability, and identify the accountable owner to plan remediation.

Infrastructure or platform teams own this.
Verify business criticality and network exposure.
Plan remediation based on identified risk.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle Enterprise Manager Base Platform?

It is a centralized management software suite used by IT departments to monitor, maintain, and automate enterprise infrastructure, including servers, databases, and applications. The Metadata Plugin, a specific component within this platform, helps manage the definitions and configuration data that allow the system to track these diverse resources.

What does CWE-284 mean for CVE-2026-46855?

This CVE involves an Improper Access Control weakness. In plain terms, the software fails to properly verify or restrict the permissions of a user, allowing them to perform actions they should not be authorized to do. Because this flaw exists in the Metadata Plugin, a user with low-level credentials can bypass these restrictions to gain unauthorized control over the entire management platform.

How is this vulnerability triggered?

An attacker needs network access to the platform via HTTPS and must have already obtained low-level user privileges within the system. It is important to note that this bug is not triggered by public, unauthenticated traffic from anonymous internet users; the attacker must be able to authenticate or operate within the network as an authorized user to initiate the malicious request.

Is my Oracle Enterprise Manager instance at risk?

According to Halo Surface Signal, this software is typically deployed within internal corporate networks rather than exposed directly to the public internet. However, your risk depends on your specific network architecture. If your instance is reachable over a network that includes untrusted segments, or if you provide access to third-party accounts, it may be vulnerable even if it is not technically a public-facing web service.

Do I need to patch CVE-2026-46855 immediately?

Yes, given the critical severity and the potential for a full system takeover, you should prioritize this issue. Start by auditing your environment to locate all active instances of the affected versions, 13.5 and 24.1. Once identified, work with your infrastructure or platform management teams to verify their current network accessibility and schedule the necessary security updates to close the access control gap.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.