Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suite (component: Security). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via SQL to compromise Oracle Flow Manufacturing. Successful attacks of this vulnerability can result in takeover of Oracle Flow Manufacturing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Full product takeover of Oracle Flow Manufacturing (versions 12.2.9 through 12.2.15) is achievable by a low-privileged remote attacker via SQL-based network access, per Oracle's advisory. The flaw scores CVSS 8.8 with high impact across confidentiality, integrity, and availability, and no public exploit has been identified at time of analysis. As a component of Oracle E-Business Suite, exploitation provides an attacker with control over a business-critical manufacturing execution system.
Technical ContextAI
Oracle Flow Manufacturing is a module within Oracle E-Business Suite (EBS) used to manage mixed-model production lines and just-in-time manufacturing workflows. The CPE string cpe:2.3:a:oracle_corporation:oracle_flow_manufacturing:*:*:*:*:*:*:*:* confirms the Oracle Corporation product is the sole affected component. The advisory categorizes the issue under the Security component and notes the attack channel is SQL, strongly implying a SQL-layer weakness (such as SQL injection or insufficient query authorization) - though Oracle does not assign a CWE in its CPU disclosures, so the precise weakness class is not formally documented.
RemediationAI
Apply the fixes from Oracle's May 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspumay2026.html) to all Oracle E-Business Suite 12.2.9-12.2.15 deployments running Flow Manufacturing; the specific patch identifier should be sourced from that CPU document since an exact fixed version is not enumerated in the input data. Patch availability is confirmed by the vendor advisory but no discrete fix version string is provided here, so cite the CPU as the authoritative reference. As compensating controls until patching is complete, restrict network access to the EBS application tier so only trusted internal subnets and VPN users can reach Flow Manufacturing endpoints (side effect: may disrupt external integrations or partner access), enforce least-privilege on EBS application accounts to reduce the pool of low-privileged users who could exploit this, and increase monitoring of database audit logs for anomalous SQL patterns originating from Flow Manufacturing sessions (side effect: log volume and storage increase).
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33016
GHSA-52wf-x2gw-qm74