Skip to main content

Oracle Payroll CVE-2026-46826

| EUVDEUVD-2026-33048 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-05-28 oracle GHSA-9gcp-5c92-hp8c
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:24 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Payroll (component: Internal Operations) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker with HTTPS network access to fully compromise the Payroll application. The CVSS 8.8 vector indicates low complexity and no user interaction, meaning any authenticated EBS user can pivot to full confidentiality, integrity, and availability impact on Payroll. No public exploit identified at time of analysis, but the issue was disclosed in Oracle's Critical Patch Update advisory and warrants prompt patching given the sensitivity of payroll data.

Technical ContextAI

Oracle Payroll is a module of Oracle E-Business Suite (EBS) - Oracle's on-premises ERP platform - handling employee compensation, tax withholding, and statutory reporting. The affected component is 'Internal Operations,' which typically covers backend processing endpoints reachable via the EBS web tier over HTTPS. The CWE is not assigned in the provided data, but the combination of low privileges required (PR:L), unchanged scope (S:U), and full CIA impact is consistent with authenticated injection, deserialization, or authorization-bypass flaws frequently seen historically in EBS modules. CPE coverage (cpe:2.3:a:oracle_corporation:oracle_payroll) confirms the affected product line is the Payroll application itself rather than a shared EBS framework component.

RemediationAI

Apply the patch available per Oracle's May 2026 Critical Patch Update advisory (https://www.oracle.com/security-alerts/cspumay2026.html), which is the authoritative source for the specific patch identifiers for each 12.2.x release; an exact fix build number was not provided in the input data and should be confirmed against the CPU readme before deployment. As compensating controls while patching is scheduled, restrict network reachability of the EBS web tier to trusted internal networks or VPN only (eliminating opportunistic exploitation), tighten responsibility/role assignments so fewer accounts have access to Payroll-related URLs, enable EBS URL firewall (sysadmin guide chapter 6) to constrain reachable JSPs/servlets to the documented allowlist, and monitor web tier access logs for anomalous POSTs to Payroll Internal Operations endpoints. Note that restricting network access may break legitimate remote employee self-service use, and URL firewall tightening can break customizations that rely on non-allowlisted endpoints.

Share

CVE-2026-46826 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy