Skip to main content

Oracle E-Business Suite CVE-2026-46820

| EUVDEUVD-2026-33043 HIGH
Improper Access Control (CWE-284)
2026-05-28 oracle GHSA-736v-m8w8-qf99
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:26 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data as well as unauthorized update, insert or delete access to some of Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N).

AnalysisAI

Cross-product data exposure in Oracle Financials Common Modules (E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged authenticated attacker to access or modify sensitive financial data over HTTP. The scope-changed nature of the flaw means exploitation impacts additional Oracle products beyond Financials Common Modules itself. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

The affected component is the Common Components module within Oracle Financials Common Modules, a shared layer of Oracle E-Business Suite (EBS) 12.2.x used across financial applications such as General Ledger, Payables, and Receivables. The CPE string cpe:2.3:a:oracle_corporation:oracle_financials_common_modules confirms the targeted product family. The CVSS scope change (S:C) indicates the vulnerable component can affect resources beyond its own security authority - typical in EBS where Common Modules brokers data and authorization for multiple downstream financial products. No CWE is assigned, but the 'Authentication Bypass' tag combined with PR:L suggests an authorization or access-control weakness reachable post-login that escalates an ordinary EBS user's effective privileges across module boundaries.

RemediationAI

Apply the fixes from Oracle's May 2026 Critical Patch Update as documented at https://www.oracle.com/security-alerts/cspumay2026.html; exact patched build numbers are listed in that advisory and should be applied to all EBS 12.2.3-12.2.15 environments. If immediate patching is not possible, compensating controls include restricting network access to the EBS application tier (especially the Oracle iSupplier/iStore/self-service portals) to trusted corporate networks or VPN only, auditing and minimizing low-privileged accounts that can reach Financials Common Modules endpoints, and enabling URL firewall rules in EBS to block non-essential responsibilities and functions - note that aggressive URL filtering can break legitimate self-service workflows and should be tested in a non-production environment first. No vendor-confirmed workaround that fully mitigates without patching was published in the available references.

Share

CVE-2026-46820 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy