Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Public Sector Financials (International). While the vulnerability is in Oracle Public Sector Financials (International), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Public Sector Financials (International) accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
AnalysisAI
Unauthorized data access in Oracle Public Sector Financials (International), a module of Oracle E-Business Suite versions 12.2.6 through 12.2.15, allows low-privileged remote attackers to read sensitive data across module boundaries due to a flaw in the Authorization component. The scope-changed CVSS 7.7 vector indicates exploitation can affect resources beyond the vulnerable component itself, expanding the blast radius to other EBS data. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Oracle E-Business Suite (EBS) is a large enterprise resource planning (ERP) suite, and the Public Sector Financials (International) module provides financial management functionality tailored to government and public-sector organizations outside the US. The vulnerability sits in the Authorization component, meaning the flaw involves how the application enforces access decisions on authenticated sessions rather than how it authenticates users. Although no CWE was assigned by Oracle, the behavior - a low-privileged user reading data they should not see - is consistent with the broader CWE-285 (Improper Authorization) / CWE-863 (Incorrect Authorization) class. The CPE string cpe:2.3:a:oracle_corporation:oracle_public_sector_financials_(international) confirms the affected product family, and the scope-changed (S:C) CVSS vector indicates the authorization boundary that is bypassed lies between security contexts within the EBS deployment.
RemediationAI
Apply the patches delivered in Oracle's May 2026 Critical Patch Update as documented at https://www.oracle.com/security-alerts/cspumay2026.html; the input data confirms patch availability via this advisory but does not specify an exact post-patch version number, so administrators should match the CPU patch identifier to their specific 12.2.x baseline. Until the CPU is applied, restrict network access to the EBS application tier so that only trusted internal networks can reach HTTPS endpoints (this may break legitimate remote user access and integrations), tighten responsibility and menu assignments to minimize the population of users who hold any EBS account (since PR:L means even low-privileged users can exploit), and increase monitoring on EBS audit logs for unusual data access patterns from low-privilege accounts. Avoid disabling the Public Sector Financials (International) module entirely unless it is unused, as this will impact financial operations.
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33046
GHSA-m6mc-rc7h-2r2x