Skip to main content

Oracle E-Business Suite CVE-2026-46819

| EUVDEUVD-2026-33042 CRITICAL
Improper Access Control (CWE-284)
2026-05-28 oracle GHSA-v8hv-9rj5-373r
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:26 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Internet Procurement Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Internet Procurement Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Internet Procurement Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Remote unauthenticated compromise of Oracle Internet Procurement Connector (a component of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows attackers to read, modify, create, or delete all data accessible to the component over HTTP. The CVSS 9.1 score reflects high confidentiality and integrity impact with low attack complexity and no privileges or user interaction required. No public exploit identified at time of analysis, but the trivial exploitability profile combined with EBS's history of being targeted (e.g., CVE-2025 Cl0p campaigns) makes this a priority patch for any internet-exposed deployment.

Technical ContextAI

Oracle E-Business Suite (EBS) is Oracle's flagship on-premises ERP platform, and the Internet Procurement Connector is a sub-component of the Internal Operations module used to bridge external procurement workflows with internal EBS modules over HTTP-based services. The affected CPE (cpe:2.3:a:oracle_corporation:oracle_internet_procurement_connector) covers all 12.2.x branches from 12.2.3 to 12.2.15, indicating the flaw exists in long-standing connector code rather than a recent feature. The tag 'Authentication Bypass' combined with the CVSS PR:N vector strongly suggests an unauthenticated request can reach data-modifying endpoints that should require an EBS session; no CWE was assigned by the reporter, but the impact profile (C:H/I:H with A:N) is characteristic of broken access control or missing authentication on a privileged HTTP endpoint (CWE-306 / CWE-862 class).

RemediationAI

Patch available per vendor advisory: apply the May 2026 Oracle Critical Patch Update (CPU) / Security Patch Update referenced at https://www.oracle.com/security-alerts/cspumay2026.html, which is the only Oracle-supported remediation path; exact fix version was not enumerated in the input data, so consult the advisory's patch matrix for your specific 12.2.x baseline. Until the CPU is applied, compensating controls include restricting network access to the EBS web tier so that Internet Procurement Connector endpoints are reachable only from trusted internal networks or via VPN (side effect: breaks any legitimate external supplier integrations that traverse those URLs), placing a WAF or reverse proxy in front of EBS to block unauthenticated requests to /OA_HTML/ and procurement connector paths (side effect: may block legitimate supplier portals - test before enforcing), and increasing audit logging on procurement tables to detect unauthorized create/modify/delete activity. Do not rely on perimeter controls alone - many EBS compromises in 2023-2025 occurred via internet-exposed instances or supplier portals that defenders believed were segmented.

Share

CVE-2026-46819 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy