Skip to main content

Oracle Payroll CVE-2026-46827

| EUVDEUVD-2026-33049 HIGH
Improper Privilege Management (CWE-269)
2026-05-28 oracle GHSA-hgjj-98r8-4m7p
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:24 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Self Service Manager). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Payroll (Self Service Manager component) of Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the Payroll module over HTTP. The CVSS 3.1 base score of 8.8 reflects high impacts to confidentiality, integrity, and availability, and Oracle has issued a fix in the May 2026 Critical Patch Update. No public exploit identified at time of analysis.

Technical ContextAI

Oracle Payroll is a core human capital management module of Oracle E-Business Suite (EBS), an on-premises enterprise resource planning suite widely deployed for HR, finance, and supply chain operations. The vulnerable Self Service Manager component is the web-facing interface that exposes manager-oriented payroll functions over HTTP/HTTPS to authenticated EBS users. The affected version range (12.2.3-12.2.15) covers the entire 12.2.x branch up to the May 2026 CPU, indicating a flaw in shared Self Service Manager logic rather than a feature added in a single release. No CWE was assigned in the provided data, so the underlying weakness class (e.g., access control, injection, deserialization) cannot be confirmed; Oracle's brevity policy typically withholds such detail until customers patch.

RemediationAI

Apply the fixes delivered in the Oracle Critical Patch Update of May 2026 as documented at https://www.oracle.com/security-alerts/cspumay2026.html; this is the primary and only vendor-sanctioned remediation. Patch available per vendor advisory - the exact patched build identifier is enumerated in the CPU matrix for each 12.2.x level and should be applied to all instances in the 12.2.3-12.2.15 range. If immediate patching is not feasible, compensating controls include restricting network access to the Self Service Manager URLs through the Oracle HTTP Server mod_rewrite / URL firewall (note: this may block legitimate manager self-service workflows), tightening responsibility assignments so that the minimum number of users hold Self Service Manager-eligible responsibilities, and increasing monitoring of EBS access logs for anomalous requests to the affected component until the CPU can be deployed.

Share

CVE-2026-46827 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy