Skip to main content

Oracle Cost Management CVE-2026-46929

| EUVDEUVD-2026-37245 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable EBS HTTP tier (AV:N), low complexity per Oracle (AC:L), requires any valid EBS user (PR:L), no interaction (UI:N), and Oracle states full module takeover yielding C:H/I:H/A:H within the same scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:06 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Cost Management (E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Cost Planning component over HTTP. The flaw yields high confidentiality, integrity, and availability impact with no user interaction required, and is addressed in Oracle's June 2026 Critical Patch Update. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EBS credential
Delivery
Reach Cost Management HTTP endpoint
Exploit
Send crafted Cost Planning request
Execution
Exploit undisclosed flaw
Persist
Escalate within Cost Management module
Impact
Read/modify/destroy cost data

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the Oracle E-Business Suite application/HTTP tier hosting the Cost Management module and a valid low-privileged EBS user credential (PR:L); no user interaction, no admin role, and no scope change are required, and the targeted versions are EBS Cost Management 12.2.3 through 12.2.15. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine priority for any organization running EBS 12.2: CVSS 3.1 base 8.8 with AV:N/AC:L/PR:L/UI:N and full C/I/A impact means a single low-privileged EBS account - which many enterprises issue broadly to employees, contractors, and partners - can take over Cost Management. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been issued any low-privileged Oracle E-Business Suite account - for example a self-service employee, supplier portal user, or a credential harvested via phishing - authenticates to the EBS web tier and sends crafted HTTP requests to the Cost Planning component, abusing the undisclosed flaw to escalate within Cost Management and read, modify, or destroy cost data and configurations. No user interaction or additional privileges are required and attack complexity is low, but no public exploit has been identified at time of analysis.
Remediation Apply the fixes shipped in Oracle's Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for Oracle E-Business Suite 12.2.3-12.2.15; Oracle delivers EBS fixes as cumulative patch sets through My Oracle Support, so install the CPU-aligned patch for your exact 12.2.x level rather than waiting for a point release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Oracle EBS Cost Management instances in versions 12.2.3-12.2.15; immediately restrict Cost Planning access by IP whitelist and disable remote access if non-critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46929 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy