Skip to main content

Oracle E-Business Suite CVE-2026-46918

| EUVDEUVD-2026-37236 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.9
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Remote HTTP exploitation with any low-privileged EBS account, no user interaction, scope change into other modules, and full takeover yields PR:L, S:C and C/I/A:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:11 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Process Manufacturing Product Development product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Process Manufacturing Product Development. While the vulnerability is in Oracle Process Manufacturing Product Development, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Process Manufacturing Product Development. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle E-Business Suite's Process Manufacturing Product Development component (versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the module via HTTP and pivot into other Oracle products through a CVSS scope change. Oracle rates the issue 9.9/10 and describes it as easily exploitable; no public exploit identified at time of analysis and the CVE is not on the CISA KEV list.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify internet- or intranet-reachable EBS 12.2 instance
Delivery
Obtain low-privileged EBS application credentials
Exploit
Send crafted HTTP request to OPM Product Development endpoint
Install
Bypass authorization in Internal Operations component
C2
Take over Process Manufacturing module
Execute
Pivot via scope change into adjacent EBS modules
Impact
Exfiltrate or tamper with financial/manufacturing data

Vulnerability AssessmentAI

Exploitation Network HTTP/HTTPS reachability to an Oracle E-Business Suite 12.2.3-12.2.15 middle tier that has the Process Manufacturing Product Development module (Internal Operations sub-component) deployed and enabled, plus valid credentials for any low-privileged EBS application user (PR:L) - no administrator role, no user interaction, and no specific browser or client configuration are required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H yields 9.9 - among the highest scores Oracle issues - because exploitation needs only network access and any low-privileged EBS account, requires no user interaction, and produces a scope change with full CIA impact on neighboring modules. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been granted any low-privileged EBS account - for example a self-service HR user, a contractor, or a credential harvested via phishing - sends a crafted HTTP request to the Process Manufacturing Product Development endpoint on the EBS middle tier. Because the bug carries a CVSS scope change, the request takes over the OPM component and lets the attacker pivot to read or modify data in other EBS modules sharing the same APPS schema, such as Financials or Supply Chain. …
Remediation Apply the patch available per Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); released patched versions are not independently confirmed in the supplied data, so consult the CPU matrix for the exact EBS 12.2 patchset and one-off patch numbers that cover the Process Manufacturing Product Development component on your current 12.2.3-12.2.15 baseline. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all E-Business Suite installations and identify Process Manufacturing module users; escalate to Oracle support for patch timeline and formal advisory; draft stakeholder communication. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy