Skip to main content

Oracle E-Business Suite CVE-2026-46930

| EUVDEUVD-2026-37246 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.1 CRITICAL

Oracle states unauthenticated HTTPS exploitation is easy (AV:N, AC:L, PR:N, UI:N) with full data read/write but no service crash, so C:H/I:H/A:N and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:05 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle In-Memory Cost Management for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.12-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle In-Memory Cost Management for Discrete Industries. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle In-Memory Cost Management for Discrete Industries accessible data as well as unauthorized access to critical data or complete access to all Oracle In-Memory Cost Management for Discrete Industries accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Remote unauthenticated compromise of Oracle In-Memory Cost Management for Discrete Industries (Oracle E-Business Suite versions 12.2.12 through 12.2.15) allows network-based attackers to read, modify, create, or delete all data accessible to the product via HTTPS. The flaw carries a CVSS 3.1 base score of 9.1 with high confidentiality and integrity impact but no availability impact, and no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed EBS HTTPS endpoint
Delivery
Fingerprint In-Memory Cost Management module
Exploit
Send crafted unauthenticated HTTPS request to Internal Operations
Execution
Bypass authentication checks
Persist
Read or modify cost management data
Impact
Exfiltrate or tamper with financial costing records

Vulnerability AssessmentAI

Exploitation Attacker must be able to reach the HTTPS interface of an Oracle E-Business Suite 12.2.12-12.2.15 deployment that has the Oracle In-Memory Cost Management for Discrete Industries product installed and its Internal Operations component exposed; no credentials, MFA, or user interaction are required (PR:N, UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a genuinely high-priority issue: CVSS 3.1 9.1 with AV:N, AC:L, PR:N and UI:N means the vulnerability is remotely reachable, low-complexity, unauthenticated, and requires no user interaction, while C:H/I:H reflects total compromise of the product's data. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An external attacker who can reach the Oracle E-Business Suite HTTPS endpoint sends a crafted request to the Internal Operations interface of the In-Memory Cost Management for Discrete Industries module without supplying valid credentials, abusing the missing authentication/authorization check implied by CVSS PR:N and the 'Authentication Bypass' tag. They then read, alter, or delete cost-management records - for example tampering with standard costs or inventory valuation data - to commit financial fraud or sabotage enterprise costing. …
Remediation Apply the patch available per the Oracle Critical Patch Update Advisory of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to Oracle E-Business Suite 12.2.12-12.2.15 - Oracle has not published an independent fix version outside the CPU bundle, so install the CPU-aligned patch set for your 12.2.x level rather than waiting for an out-of-band release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Oracle E-Business Suite 12.2.12-12.2.15 with In-Memory Cost Management enabled; restrict network access to these systems' HTTPS ports to known administrative IP addresses only; enable full request/response logging. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46930 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy