Skip to main content

Oracle HRMS CVE-2026-46953

| EUVDEUVD-2026-37265 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
7.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

HTTP-reachable EBS module (AV:N, AC:L), but requires an existing high-privilege HRMS/UK Payroll account (PR:H); no user interaction; full takeover yields C/I/A:H within the same scope.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:54 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle HRMS (UK) product of Oracle E-Business Suite (component: UK Payroll). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle HRMS (UK). Successful attacks of this vulnerability can result in takeover of Oracle HRMS (UK). CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Full takeover of Oracle HRMS (UK) - the UK Payroll component of Oracle E-Business Suite versions 12.2.3 through 12.2.15 - is possible by an already-authenticated, highly privileged attacker over HTTP, leading to complete loss of confidentiality, integrity, and availability of the HRMS application. Oracle classifies the issue as easily exploitable but the PR:H requirement narrows the realistic attacker pool to insiders and compromised admin accounts. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Oracle E-Business Suite (EBS) is Oracle's on-premises ERP platform; the HRMS (UK) module within it provides UK-specific human resources and payroll functions and is typically deployed as part of the Oracle Applications stack fronted by Oracle HTTP Server / WebLogic. The affected CPE cpe:2.3:a:oracle_corporation:oracle_hrms_(uk):*:* covers all 12.2.x point releases from 12.2.3 to 12.2.15, indicating a long-standing defect in the UK Payroll component reachable over HTTP. No CWE was assigned by the reporter, so the precise root-cause class (authorization bypass, SQL injection, deserialization, etc.) cannot be determined from the public advisory alone; Oracle's Critical Patch Update advisories deliberately withhold technical detail.

RemediationAI

Apply patch available per vendor advisory - install the fixes shipped in the Oracle Critical Patch Update June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for all EBS 12.2.x instances in the 12.2.3-12.2.15 range; Oracle does not publish individual fix version numbers per CVE in CPU advisories, so consult the CPU patch matrix for the exact one-off or RPC patch number for your 12.2.x level. Until patching, reduce blast radius by tightening assignment of EBS responsibilities that grant UK Payroll / HRMS administrative access, enforcing MFA on all EBS admin accounts, restricting network access to the HRMS URLs via the Oracle E-Business Suite URL firewall / DMZ configuration (trade-off: may break legitimate self-service access if rules are too broad), and increasing audit-log review on UK Payroll transactions to detect abuse by privileged users (trade-off: detective rather than preventive).

Share

CVE-2026-46953 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy