Skip to main content

Oracle E-Business Suite CVE-2026-46817

| EUVDEUVD-2026-33040 CRITICAL
Improper Privilege Management (CWE-269)
2026-05-28 oracle GHSA-pv4m-gf99-c5jr
9.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (oracle) · only source for this CVE.

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Added to CISA KEV
Jul 15, 2026 - 17:48 CISA
Analysis Generated
May 28, 2026 - 21:27 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle Payments in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible via the File Transmission component, allowing unauthenticated network-based attackers to fully compromise confidentiality, integrity, and availability (CVSS 9.8). The flaw is described by Oracle as easily exploitable over HTTP with no user interaction, and no public exploit identified at time of analysis. Tagged as Information Disclosure and listed in Oracle's May 2026 Critical Patch Update advisory.

Technical ContextAI

Oracle E-Business Suite (EBS) is Oracle's flagship enterprise resource planning suite, and the Oracle Payments module is the centralized funds-capture and disbursement engine used across Receivables, Payables, Loans, and other financial modules. The vulnerable File Transmission component is responsible for moving payment instruction files (settlement batches, bank statements, payment confirmations) between EBS and external financial institutions, typically over HTTP-based transports. No CWE was assigned in the provided data, but the unauthenticated-over-HTTP profile combined with full CIA impact is consistent with the class of input-handling or deserialization weaknesses that have historically affected EBS web-tier servlets exposed by the OA Framework. The CPE string cpe:2.3:a:oracle_corporation:oracle_payments:*:*:*:*:*:*:*:* identifies the Payments product specifically rather than the broader EBS stack.

RemediationAI

Apply Patch available per vendor advisory - install the Oracle E-Business Suite 12.2 patch bundle published in the May 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspumay2026.html), following Oracle's standard adop/Online Patching procedure for the 12.2 codeline. Until patching is complete, restrict network reachability of the EBS web tier so the Payments File Transmission servlets are not exposed to untrusted networks: place the OA Framework front-ends behind a WAF or reverse proxy and block direct internet access to /OA_HTML/ Payments endpoints, accepting the trade-off that legitimate external bank/file-transmission integrations may need allowlisted IPs reconfigured. Consider tightening URL firewall rules in $CONTEXT_FILE (s_url_firewall) to reject unexpected hosts, noting that misconfiguration can break OAF redirects. No vendor-released patch version string beyond the May 2026 CPU bundle was provided, so confirm the exact patch number from the My Oracle Support note referenced by the CPU advisory before deployment.

Share

CVE-2026-46817 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy