Skip to main content

Oracle Spares Management CVE-2026-46928

| EUVDEUVD-2026-37244 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

EBS module is reached over HTTPS (AV:N, AC:L), requires any authenticated EBS user (PR:L), no interaction (UI:N), and full module takeover yields C:H/I:H/A:H within the same authorization scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:06 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Spares Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Spares Management. Successful attacks of this vulnerability can result in takeover of Oracle Spares Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Full product takeover of Oracle Spares Management (a module of Oracle E-Business Suite) is achievable by a low-privileged remote attacker over HTTPS, affecting supported versions 12.2.3 through 12.2.15. Oracle rates this 8.8 CVSS with high impact across confidentiality, integrity, and availability, and the vector indicates easy exploitation with no user interaction. There is no public exploit identified at time of analysis, and the CVE is not on CISA KEV.

Technical ContextAI

Oracle Spares Management is a module within the Oracle E-Business Suite (EBS) 12.2 application stack used to manage field-service spare parts logistics, depots, and inventory replenishment. The 'Internal Operations' component points to administrative or back-office functionality typically exposed through the EBS Forms/OA Framework over HTTPS rather than purely internal RPC. No CWE has been assigned by Oracle (consistent with their longstanding practice of withholding root-cause classification in CPU advisories), so the specific weakness class - likely an authorization, injection, or business-logic flaw given the 'takeover' impact and low-privilege precondition - cannot be confirmed from the published data. The single affected CPE (cpe:2.3:a:oracle_corporation:oracle_spares_management:*) confirms the bug is scoped to this EBS module rather than the broader EBS platform.

RemediationAI

Apply the patches delivered in Oracle's June 2026 Critical Patch Update as documented at https://www.oracle.com/security-alerts/cspujun2026.html - this is the vendor-released remediation and the only supported fix path; exact patch identifiers (per the standard EBS CPU bundle layout) should be pulled from My Oracle Support against your installed 12.2.x version. Until the CPU can be applied, restrict network access to the EBS application tier so only trusted enterprise networks or VPN clients can reach the Spares Management responsibilities - note this breaks legitimate remote field-service users. Additionally, audit Oracle EBS user accounts assigned the Spares Management responsibility and revoke any accounts no longer required, since PR:L means any low-privileged EBS user becomes a viable attacker; the trade-off is operational friction reviewing seeded and integration accounts. Do not rely on TLS, WAF generic rules, or perimeter ACLs alone, as the vector is HTTPS-native and originates from an already-authenticated session.

Share

CVE-2026-46928 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy