External risk intelligence

JD Edwards EnterpriseOne Project Costing Vulnerability Allows Critical Data Access and Modification.

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-46911

A critical vulnerability exists in Oracle JD Edwards EnterpriseOne Project Costing that could allow a low-privileged attacker with network access to modify, delete, or gain unauthorized access to critical project and financial data. The exploit's impact may extend to other JD Edwards products.

Halo Surface Signal

Unlikely · external exposure

2Halo Surface Signal

The vulnerability affects the Job Costing component of Oracle JD Edwards EnterpriseOne, which typically resides deep within an enterprise's private business network. While it requires network access via JDENET, it is not designed for public internet exposure and is normally protected by internal network controls, making direct internet-facing reachability uncommon.

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Oracle's JD Edwards EnterpriseOne Project Costing software. This issue, if exploited, could allow unauthorized individuals to access, alter, or delete sensitive project and financial data within the system, potentially impacting other connected products.

Attackers can change or view critical data.
Protects core financial and project information.
Confirm relevance and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with low privileges and network access can exploit a vulnerability in Oracle JD Edwards Project Costing. This could allow them to gain unauthorized access to critical data, modify or delete important information, or even take complete control of accessible data within the JD Edwards EnterpriseOne Project Costing system. The impact extends beyond Project Costing, potentially affecting other connected products.

Requires network access with low privileges.
Vulnerable component is JD Edwards Project Costing.
Risk of unauthorized data access and modification.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker with network access to improperly create, delete, or modify critical data within JD Edwards EnterpriseOne Project Costing, or gain complete unauthorized access to its data. The impact may extend to other JD Edwards products.

Critical JD Edwards Project Costing data.
Low-privileged attacker with network access.
Unauthorized data modification or complete access.

Operational Fix

Recommended remediation, mitigation, and detection steps

The JD Edwards EnterpriseOne Project Costing vulnerability necessitates coordination between the application owner responsible for JD Edwards, the infrastructure team managing JDENET, and potentially the vendor management team for Oracle support. The immediate priority is to confirm the presence of the affected JD Edwards version, assess its network exposure, identify the business-criticality, and then determine the most appropriate remediation strategy based on risk.

Application owners must lead the issue resolution.
Verify JD Edwards accessibility and business impact.
Plan and schedule remediation during approved downtimes.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-46911 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in JD Edwards EnterpriseOne Project Costing allows unauthorized access and modification of critical data, likely causing a PCI ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is Oracle JD Edwards EnterpriseOne Project Costing?

It is a business application used by organizations to track, manage, and analyze project-related financial data. It functions as a specialized component within the broader JD Edwards EnterpriseOne suite, helping finance and operations teams maintain accurate records of job costs and project expenditures.

What does CVE-2026-46911 mean for the system?

This CVE identifies a weakness categorized as CWE-284, which relates to improper access control. In plain terms, the software fails to correctly restrict what a user can do. Because of this flaw, a low-privileged user can bypass security boundaries to read, change, or delete sensitive project information that they are not authorized to handle.

How is this vulnerability triggered?

An attacker needs network access to the JDENET communication protocol to trigger this flaw. It is important to note that this is not a public-facing web bug; it requires a foothold within the network or the ability to reach the JDENET service. If an attacker cannot communicate with this specific protocol, they cannot reach the vulnerable component.

Is my environment at risk from this vulnerability?

According to Halo Surface Signal, this component is typically located deep within a private business network and is not designed for public internet access. While you should verify your own internal network configuration, the likelihood of this service being directly reachable from the open internet is considered low.

What should I do to address this CVE?

Begin by confirming if you are running version 9.2 of the affected software. Coordinate with your application and infrastructure teams to verify how the system is positioned within your network. Assess the business criticality of the data housed in the Job Costing component and prepare to schedule necessary updates during your next available maintenance window.

References

www.oracle.com/security-alerts/cspujun2026.html

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.