Skip to main content

Oracle Advanced Outbound Telephony CVE-2026-46950

| EUVDEUVD-2026-37262 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable EBS HTTP endpoint (AV:N), low complexity (AC:L), requires any authenticated EBS user (PR:L), no user interaction, and Oracle states full product takeover yielding C:H/I:H/A:H within the same security authority (S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:56 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Outbound Telephony. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite component, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker with HTTP access to fully compromise the product's confidentiality, integrity, and availability. Oracle has published a fix in the June 2026 Critical Patch Update, and the CVSS 3.1 base score of 8.8 reflects an easily exploitable network-borne flaw, though no public exploit identified at time of analysis and EPSS data was not provided.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EBS account
Delivery
Reach EBS web tier over HTTP
Exploit
Send crafted request to Advanced Outbound Telephony Internal Operations endpoint
Execution
Bypass module authorization
Persist
Take over Advanced Outbound Telephony
Impact
Read/modify dialer data and disrupt service

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the Oracle E-Business Suite web tier serving the Advanced Outbound Telephony module over HTTP, (2) a valid low-privileged EBS account (PR:L - any authenticated EBS user, not anonymous), and (3) the target running EBS 12.2 at a level between 12.2.3 and 12.2.15 inclusive with the Advanced Outbound Telephony product (Internal Operations component) deployed and accessible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H paints a high-impact picture: network-reachable, low-complexity, only a low-privileged account needed, no user interaction, and full CIA loss on the targeted product. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any low-privileged EBS account - for example via phishing of an internal user or reuse of a leaked self-service/iSupplier credential - sends crafted HTTP requests to the Advanced Outbound Telephony Internal Operations endpoints on the EBS web tier. The request abuses the flaw to escalate within the module and fully take over Advanced Outbound Telephony, allowing the attacker to read or modify outbound campaign data, contact lists, and dialer configuration, and to disrupt the dialer service.
Remediation Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html), which is the patch available per vendor advisory for EBS 12.2.3 through 12.2.15; exact post-patch version strings are tracked in the CPU readme and should be matched against your current EBS 12.2 RUP level. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Oracle Advanced Outbound Telephony versions 12.2.3-12.2.15; document current patch status and user access levels. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46950 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy