Skip to main content

Oracle E-Business Suite CVE-2026-46821

| EUVD-2026-33044 HIGH
2026-05-28 oracle GHSA-qwrj-x667-58f7
Authentication Bypass Oracle Oracle Financials Common Modules
7.7
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:26 vuln.today

DescriptionNVD

Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

AnalysisAI

Unauthorized data access in Oracle E-Business Suite's Financials Common Modules (versions 12.2.3 through 12.2.15) allows low-privileged remote attackers to read sensitive data via HTTP, with a scope change that extends impact beyond the vulnerable component to other Oracle products. The flaw carries a CVSS 3.1 base score of 7.7 reflecting high confidentiality impact, but no public exploit has been identified at time of analysis and the issue is not currently listed in CISA KEV.

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Inventory all Oracle EBS instances running Financials 12.2.3-12.2.15 and audit current low-privileged user accounts with HTTP remote access; document financial data classification and DLP controls in place. Within 7 days: Restrict or disable HTTP-based remote access to affected Financials modules, enforce additional authentication requirements, and review data access logs for unauthorized extraction. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-46840 CRITICAL
10.0 May 28

Remote takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows unauthenticated attackers to c
CVE-2026-46775 CRITICAL
9.9 May 28

Takeover of Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 is achievable by a low-privileged remote att
CVE-2026-46822 CRITICAL
9.9 May 28

Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privil
CVE-2026-46824 CRITICAL
9.9 May 28

Account takeover in Oracle Universal Work Queue (component: Work Provider Site Level Administration) within Oracle E-Bus
CVE-2026-46839 CRITICAL
9.9 May 28

Privilege escalation to full takeover in Oracle REST Data Services (ORDS) versions 24.2.0 through 26.1.0 allows a low-pr

Share

CVE-2026-46821 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy