Skip to main content

Oracle iSupport CVE-2026-46946

| EUVDEUVD-2026-37259 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Network-reachable HTTP endpoint (AV:N) with no special conditions (AC:L), requires a high-privileged EBS/iSupport account (PR:H), no user interaction, and impact crosses into other EBS modules (S:C) with full CIA loss.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:58 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle iSupport in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, with scope-changed impact extending to additional EBS components. The CVSS 3.1 base score of 9.1 reflects full confidentiality, integrity, and availability loss beyond the vulnerable component itself. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privileged EBS account
Delivery
Reach iSupport web tier over HTTP
Exploit
Send crafted Internal Operations request
Execution
Trigger scope-changing flaw
Persist
Take over iSupport module
Impact
Pivot impact to additional EBS components

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network HTTP reachability to the Oracle E-Business Suite application tier hosting the iSupport module, (2) the target running an affected EBS 12.2.x release between 12.2.3 and 12.2.15 inclusive with the iSupport product deployed and the 'Internal Operations' component active, and (3) an authenticated session with high privileges within iSupport/EBS (PR:H per CVSS vector) - anonymous or low-privilege EBS users cannot trigger the flaw. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) describes a network-reachable, low-complexity attack that nonetheless requires high privileges, which materially gates real-world exploitability: an attacker must already hold an elevated EBS account (administrative or equivalent role on iSupport) before the flaw produces its high impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or is assigned a high-privileged Oracle EBS account - for example, a compromised iSupport administrator credential reused from a phishing campaign, or a malicious insider with elevated responsibilities - sends crafted HTTP requests to the iSupport Internal Operations endpoints on the EBS application tier. The request triggers the scope-changing flaw to fully take over the iSupport module and pivot to manipulate confidentiality, integrity, and availability of additional EBS components such as related self-service or back-office modules. …
Remediation Apply the Oracle Critical Patch Update for June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - Patch available per vendor advisory; Oracle has not published a discrete fixed micro-version in the supplied intelligence, so use the CPU patch matrix for your exact 12.2.x release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and audit all high-privileged user accounts with iSupport access; review administrative activity logs for anomalies; escalate findings to security leadership. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46946 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy