Skip to main content

Oracle Advanced Outbound Telephony CVE-2026-46949

| EUVDEUVD-2026-37261 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.1 CRITICAL

HTTP-reachable EBS module with no auth or interaction (AV:N/AC:L/PR:N/UI:N); full data read and write but no availability impact, so C:H/I:H/A:N, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:57 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Advanced Outbound Telephony accessible data as well as unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Remote unauthenticated compromise of Oracle Advanced Outbound Telephony (Oracle E-Business Suite, Internal Operations component) versions 12.2.3 through 12.2.15 allows attackers to read, create, modify, or delete all data accessible to the application via HTTP. Oracle rates the issue 9.1 (CVSS 3.1) due to network attack vector with no authentication and high confidentiality and integrity impact, though availability is unaffected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify internet- or partner-reachable Oracle EBS 12.2 instance
Delivery
Enumerate Advanced Outbound Telephony HTTP endpoints
Exploit
Send unauthenticated crafted HTTP request
Execution
Bypass authorization on Internal Operations component
Persist
Read, modify, or delete telephony campaign and contact data
Impact
Pivot to broader EBS reconnaissance using harvested data

Vulnerability AssessmentAI

Exploitation The Oracle Advanced Outbound Telephony module must be deployed and reachable over HTTP on an Oracle E-Business Suite 12.2.3-12.2.15 instance, and the attacker must have network reachability to the EBS web tier (Oracle HTTP Server / WebLogic) hosting that module. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment All available signals point to a high-priority issue: the CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N gives a trivially reachable network attack with no authentication or user interaction, and C:H/I:H reflects full read/write over application-accessible data; only A:N (no availability impact) keeps it below 10.0. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker reachable to the EBS web tier sends crafted HTTP requests directly to the Advanced Outbound Telephony module's endpoints without supplying any session or credentials, and the application services the requests as if authorized - allowing the attacker to query, alter, or delete records such as dialing campaigns, contact lists, and call outcomes. Because AV:N/AC:L/PR:N/UI:N applies, the same flow works against any internet-exposed or partner-reachable EBS environment with the module deployed. …
Remediation Apply the fixes shipped in Oracle's June 2026 Critical Patch Update for E-Business Suite as documented at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle distributes EBS fixes as patch sets layered on the affected 12.2.x release, so install the CPU patch corresponding to your current 12.2.3-12.2.15 maintenance pack rather than expecting a single 'fixed version' string. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

WITHIN 24 HOURS: Inventory all Oracle E-Business Suite instances running versions 12.2.3 through 12.2.15; implement emergency firewall rules restricting network access to affected systems to whitelisted IPs only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46949 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy