Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iAssets. While the vulnerability is in Oracle iAssets, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iAssets. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
AnalysisAI
Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged attacker with HTTP network access to fully compromise the iAssets component and pivot into adjacent products via a scope change. The 9.9 CVSS score reflects high impact on confidentiality, integrity, and availability combined with low attack complexity; no public exploit identified at time of analysis, but Oracle's inclusion in the May 2026 Critical Patch Update warrants immediate attention.
Technical ContextAI
Oracle iAssets is a module within Oracle E-Business Suite (EBS) under the Internal Operations component, used by organizations to manage internal asset tracking and lifecycle workflows. The affected CPE (cpe:2.3:a:oracle_corporation:oracle_iassets) spans the 12.2.x EBS release family. Oracle did not publish a CWE classification for this issue, but the combination of network attack vector over HTTP, low-privilege precondition, and a scope-changing impact is consistent with web-tier authorization or injection flaws in EBS's Oracle Application Framework (OAF) servlets, where a logged-in EBS user can manipulate iAssets endpoints to act beyond their permitted module boundary.
RemediationAI
Patch available per vendor advisory: apply the relevant fix from the Oracle Critical Patch Update - May 2026 (https://www.oracle.com/security-alerts/cspumay2026.html), which covers each supported 12.2.x release; specific patched build numbers are listed in the CPU patch availability matrix and should be retrieved from My Oracle Support before scheduling the outage window. As compensating controls until patching, restrict network reachability of the EBS web tier so that iAssets URLs (typically under /OA_HTML/ paths invoking OA.jsp and iAssets-specific functions) are not reachable from untrusted networks, place the EBS frontend behind a WAF with rules blocking anomalous OAF parameters, and tighten EBS responsibility/menu assignments so fewer accounts hold iAssets responsibilities - recognising these reduce attack surface but do not eliminate risk for insiders or compromised low-privilege accounts.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33045
GHSA-mcf7-2r26-r689