Skip to main content

Oracle E-Business Suite CVE-2026-46931

| EUVDEUVD-2026-37247 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

HTTP-reachable EBS endpoint exploitable by any authenticated low-privilege user with no interaction, yielding full module takeover, matches Oracle's vector.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:05 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Asset Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Enterprise Asset Management (Oracle E-Business Suite 12.2.6 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Internal Operations component over HTTP. The flaw carries a CVSS 3.1 base score of 8.8 with high confidentiality, integrity, and availability impacts, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EBS account
Delivery
Reach EBS app tier over HTTP
Exploit
Send crafted request to Internal Operations endpoint
Execution
Trigger EAM authorization or input flaw
Persist
Gain full control of Enterprise Asset Management
Impact
Read and modify asset/work-order data

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network HTTP/HTTPS reachability to an Oracle E-Business Suite 12.2.6-12.2.15 application tier running the Oracle Enterprise Asset Management module with the Internal Operations component deployed, and (2) a valid low-privileged EBS user account (PR:L) - fully unauthenticated exploitation is not in scope per the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a meaningful but not headline-grade risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A contractor or compromised low-privilege EBS user logs into the E-Business Suite application tier over HTTP/HTTPS, navigates to or directly requests an Internal Operations endpoint within Enterprise Asset Management, and submits a crafted parameter that abuses the underlying flaw to obtain full module control. With high C/I/A impact, the attacker can then read sensitive maintenance and asset records, alter work orders or master data, and disrupt EAM operations. …
Remediation Apply the patch from the Oracle Critical Patch Update June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html), which is the patch available per vendor advisory for Enterprise Asset Management on E-Business Suite 12.2.6-12.2.15; Oracle publishes per-version patch IDs in the CPU advisory matrix, so administrators should consult that matrix to select the correct 12.2.x bundle. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Oracle EBS 12.2.6-12.2.15 instances; document network exposure and enable enhanced authentication logging on all affected systems. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46931 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy