Skip to main content

Oracle Flow Manufacturing CVE-2026-46837

| EUVDEUVD-2026-33016 HIGH
Improper Privilege Management (CWE-269)
2026-05-28 oracle GHSA-52wf-x2gw-qm74
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:22 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suite (component: Security). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via SQL to compromise Oracle Flow Manufacturing. Successful attacks of this vulnerability can result in takeover of Oracle Flow Manufacturing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Full product takeover of Oracle Flow Manufacturing (versions 12.2.9 through 12.2.15) is achievable by a low-privileged remote attacker via SQL-based network access, per Oracle's advisory. The flaw scores CVSS 8.8 with high impact across confidentiality, integrity, and availability, and no public exploit has been identified at time of analysis. As a component of Oracle E-Business Suite, exploitation provides an attacker with control over a business-critical manufacturing execution system.

Technical ContextAI

Oracle Flow Manufacturing is a module within Oracle E-Business Suite (EBS) used to manage mixed-model production lines and just-in-time manufacturing workflows. The CPE string cpe:2.3:a:oracle_corporation:oracle_flow_manufacturing:*:*:*:*:*:*:*:* confirms the Oracle Corporation product is the sole affected component. The advisory categorizes the issue under the Security component and notes the attack channel is SQL, strongly implying a SQL-layer weakness (such as SQL injection or insufficient query authorization) - though Oracle does not assign a CWE in its CPU disclosures, so the precise weakness class is not formally documented.

RemediationAI

Apply the fixes from Oracle's May 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspumay2026.html) to all Oracle E-Business Suite 12.2.9-12.2.15 deployments running Flow Manufacturing; the specific patch identifier should be sourced from that CPU document since an exact fixed version is not enumerated in the input data. Patch availability is confirmed by the vendor advisory but no discrete fix version string is provided here, so cite the CPU as the authoritative reference. As compensating controls until patching is complete, restrict network access to the EBS application tier so only trusted internal subnets and VPN users can reach Flow Manufacturing endpoints (side effect: may disrupt external integrations or partner access), enforce least-privilege on EBS application accounts to reduce the pool of low-privileged users who could exploit this, and increase monitoring of database audit logs for anomalous SQL patterns originating from Flow Manufacturing sessions (side effect: log volume and storage increase).

Share

CVE-2026-46837 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy