Skip to main content

Oracle Subledger Accounting CVE-2026-46958

| EUVDEUVD-2026-37269 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

HTTP-reachable EBS app tier gives AV:N/UI:N; Oracle's 'difficult to exploit' wording supports AC:H; a low-privileged EBS account is required (PR:L); takeover of SLA yields C:H/I:H/A:H within the same scope.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:52 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle Subledger Accounting (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by a low-privileged remote attacker leveraging HTTP. The flaw yields full confidentiality, integrity, and availability impact (CVSS 7.5) but is rated high attack complexity, so reliable exploitation is non-trivial. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EBS account
Delivery
Reach EBS app tier over HTTP
Exploit
Craft request to SLA Internal Operations
Execution
Satisfy high-complexity precondition
Persist
Achieve Subledger Accounting takeover
Impact
Tamper with journals and rule data

Vulnerability AssessmentAI

Exploitation Attacker must hold valid low-privileged credentials on a target Oracle E-Business Suite 12.2.3-12.2.15 deployment (PR:L) and must be able to reach the EBS application tier over HTTP (AV:N); no user interaction is required (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H produces a 7.5 base score: network-reachable, no user interaction, but high attack complexity and requiring a low-privileged EBS account, with full CIA impact ('takeover' of SLA). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A contractor or low-privilege business user with a valid Oracle EBS account reaches the application tier over HTTP and issues a crafted request that exercises an Internal Operations code path in Subledger Accounting; after working around the high-complexity conditions (e.g., timing, state, or a specific configuration), the attacker gains full control of the SLA component and can read, alter, or destroy accounting rule data and generated journals. No public exploit identified at time of analysis, so any real-world abuse would currently require independent reverse engineering of the Oracle patch.
Remediation Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; patch availability is confirmed via the Oracle CPU reference but no exact CPU patch number or post-patch version string is provided in the input data, so the precise fix identifier should be taken from the CPU bulletin itself. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Oracle E-Business Suite deployments; identify systems running versions 12.2.3 through 12.2.15 and assess Subledger Accounting module scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46958 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy