Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Internet Procurement Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Internet Procurement Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Internet Procurement Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
AnalysisAI
Remote unauthenticated compromise of Oracle Internet Procurement Connector (a component of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows attackers to read, modify, create, or delete all data accessible to the component over HTTP. The CVSS 9.1 score reflects high confidentiality and integrity impact with low attack complexity and no privileges or user interaction required. No public exploit identified at time of analysis, but the trivial exploitability profile combined with EBS's history of being targeted (e.g., CVE-2025 Cl0p campaigns) makes this a priority patch for any internet-exposed deployment.
Technical ContextAI
Oracle E-Business Suite (EBS) is Oracle's flagship on-premises ERP platform, and the Internet Procurement Connector is a sub-component of the Internal Operations module used to bridge external procurement workflows with internal EBS modules over HTTP-based services. The affected CPE (cpe:2.3:a:oracle_corporation:oracle_internet_procurement_connector) covers all 12.2.x branches from 12.2.3 to 12.2.15, indicating the flaw exists in long-standing connector code rather than a recent feature. The tag 'Authentication Bypass' combined with the CVSS PR:N vector strongly suggests an unauthenticated request can reach data-modifying endpoints that should require an EBS session; no CWE was assigned by the reporter, but the impact profile (C:H/I:H with A:N) is characteristic of broken access control or missing authentication on a privileged HTTP endpoint (CWE-306 / CWE-862 class).
RemediationAI
Patch available per vendor advisory: apply the May 2026 Oracle Critical Patch Update (CPU) / Security Patch Update referenced at https://www.oracle.com/security-alerts/cspumay2026.html, which is the only Oracle-supported remediation path; exact fix version was not enumerated in the input data, so consult the advisory's patch matrix for your specific 12.2.x baseline. Until the CPU is applied, compensating controls include restricting network access to the EBS web tier so that Internet Procurement Connector endpoints are reachable only from trusted internal networks or via VPN (side effect: breaks any legitimate external supplier integrations that traverse those URLs), placing a WAF or reverse proxy in front of EBS to block unauthenticated requests to /OA_HTML/ and procurement connector paths (side effect: may block legitimate supplier portals - test before enforcing), and increasing audit logging on procurement tables to detect unauthorized create/modify/delete activity. Do not rely on perimeter controls alone - many EBS compromises in 2023-2025 occurred via internet-exposed instances or supplier portals that defenders believed were segmented.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33042
GHSA-v8hv-9rj5-373r