Skip to main content

Oracle Property Manager CVE-2026-46956

| EUVDEUVD-2026-37267 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
7.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

HTTP-reachable (AV:N), Oracle labels easily exploitable (AC:L), requires high EBS privileges (PR:H), no user interaction, and full takeover of Property Manager yields C:H/I:H/A:H within an unchanged scope.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:53 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Property Manager product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Property Manager. Successful attacks of this vulnerability can result in takeover of Oracle Property Manager. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle Property Manager (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by a high-privileged attacker with HTTP network access, with no public exploit identified at time of analysis. Oracle rates the issue easily exploitable with full confidentiality, integrity, and availability impact, but the PR:H requirement narrows the practical attacker pool to those already holding elevated EBS application privileges. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain privileged EBS account
Delivery
Reach Property Manager HTTP endpoint
Exploit
Send crafted Internal Operations request
Execution
Abuse vulnerable handler
Persist
Take over Property Manager module
Impact
Tamper with lease/property data

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the Oracle E-Business Suite 12.2 HTTP application tier serving the Property Manager module, specifically the Internal Operations component, and (2) an authenticated session with high EBS application privileges (PR:H) - typically a user holding a privileged Property Manager / System Administrator responsibility - as Oracle's CVSS vector mandates PR:H and explicitly scopes impact to the Oracle Property Manager module. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Oracle's CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, score 7.2) describes a high-impact but high-privilege flaw: full triad compromise of Property Manager, but only by an attacker already holding elevated EBS privileges, which materially lowers real-world likelihood versus a PR:N RCE. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has already obtained a privileged Oracle EBS account - for example through phishing of a functional administrator or reuse of a stolen DBA/sysadmin credential - authenticates to the EBS application tier and issues a crafted HTTP request to a Property Manager Internal Operations endpoint, achieving full takeover of the Property Manager module including read, modification, and disruption of lease and property records. No public exploit identified at time of analysis, so an adversary would need to reverse the June 2026 CPU patch or discover the vulnerable code path independently.
Remediation Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html), which delivers the Property Manager patch for EBS 12.2.3-12.2.15 via the standard EBS 12.2 patch bundle; consult the CPU Patch Availability Document for the exact patch numbers per platform and apply through adop/online-patching with standard pre-production validation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Oracle EBS 12.2.3-12.2.15 instances and audit all users with high-privileged Property Manager roles (review access grants, role assignments, and recent administrative activity). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46956 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy