Skip to main content

Oracle E-Business Suite CVE-2026-46952

| EUVDEUVD-2026-37264 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Reachable over HTTP with any low-privilege EBS account and no user interaction; Oracle states full takeover of the Quality module, giving high C/I/A within an unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:55 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Quality product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Quality. Successful attacks of this vulnerability can result in takeover of Oracle Quality. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in the Oracle Quality module of Oracle E-Business Suite 12.2.3 through 12.2.15 allows a low-privileged attacker with HTTP network access to fully compromise the Quality component, impacting confidentiality, integrity, and availability (CVSS 3.1 8.8). The flaw resides in the Internal Operations component and is rated easily exploitable by Oracle's own advisory, though no public exploit identified at time of analysis and the issue is not yet listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege EBS credentials
Delivery
Reach EBS web tier over HTTP
Exploit
Send crafted request to Quality Internal Operations endpoint
Execution
Exploit server-side flaw
Persist
Escalate within Oracle Quality module
Impact
Read/modify/destroy Quality data

Vulnerability AssessmentAI

Exploitation Attacker must reach the Oracle E-Business Suite web tier over HTTP/HTTPS and hold valid credentials for any low-privilege EBS account (PR:L), with no user interaction required and no scope change. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:L/UI:N with full C/I/A high and unchanged scope makes this a credible priority for any internet-facing or broadly accessible EBS deployment: any authenticated EBS user - including low-privilege internal accounts often issued to many employees, suppliers, or contractors via iSupplier/iStore portals - can take over the Quality component without user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A contractor or internal employee with any low-privilege EBS responsibility authenticates to the Oracle E-Business Suite web tier and issues crafted HTTP requests to the Oracle Quality module's Internal Operations endpoints, abusing the flaw to escalate within the Quality application and read, modify, or destroy quality-management data such as inspection records, supplier non-conformance reports, and collection plans. With Oracle stating exploitation is 'easy' and requires only PR:L, the scenario is realistic against any organization that issues broad authenticated EBS access; no public POC is currently identified.
Remediation Apply the fixes shipped in Oracle's June 2026 Critical Patch Update (Patch available per vendor advisory at https://www.oracle.com/security-alerts/cspujun2026.html); Oracle does not publish individual fix-version numbers per CVE, so administrators must apply the CPU bundle that covers EBS 12.2.3-12.2.15. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all affected EBS Quality module instances (versions 12.2.3-12.2.15) and document user accounts with Quality access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46952 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy