Skip to main content

Oracle E-Business Suite CVE-2026-46932

| EUVDEUVD-2026-37248 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
7.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
vuln.today AI
7.1 HIGH

Network-reachable EBS web tier (AV:N), Oracle calls it easily exploitable (AC:L), requires a low-privileged EBS account (PR:L), no user interaction, high confidentiality and only partial availability impact with no integrity change.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:04 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Asset Management. CVSS 3.1 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).

AnalysisAI

Information disclosure and partial denial of service in Oracle E-Business Suite Enterprise Asset Management (versions 12.2.3 through 12.2.15) allows a low-privileged authenticated attacker with HTTP network access to read all data accessible to the Enterprise Asset Management module and degrade its availability. Oracle rates the issue 7.1 CVSS 3.1 and describes it as easily exploitable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EBS account
Delivery
Reach EAM web tier over HTTP
Exploit
Send crafted Internal Operations request
Execution
Retrieve EAM-accessible data
Impact
Repeat to cause partial DoS

Vulnerability AssessmentAI

Exploitation Attacker must hold a valid low-privileged Oracle E-Business Suite account (PR:L) and have HTTP/HTTPS reachability to the EBS web tier hosting the Enterprise Asset Management Internal Operations component, against EBS versions 12.2.3 through 12.2.15; no user interaction, no admin role, and no special non-default configuration is required beyond having EAM deployed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L describes a network-reachable, low-complexity attack requiring only a low-privileged EBS account and no user interaction, which is realistic for any organisation with self-service EBS users or contractors. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A contractor or junior maintenance user with a valid but low-privileged EBS account authenticates to the EBS web tier over HTTP/HTTPS and issues crafted requests to the EAM Internal Operations endpoints, retrieving the full set of EAM-accessible records (work orders, asset data, internal operations details) that their responsibility should not expose. The same attacker can repeat resource-intensive requests to cause partial denial of service of the EAM module, degrading maintenance operations for legitimate users. …
Remediation Patch available per vendor advisory: apply the fixes bundled in the Oracle Critical Patch Update of June 2026 documented at https://www.oracle.com/security-alerts/cspujun2026.html, which covers EBS 12.2.3 through 12.2.15. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Oracle EBS Enterprise Asset Management module versions 12.2.3-12.2.15 and document current user access levels. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46932 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy