Skip to main content

Oracle Subledger Accounting CVE-2026-46959

| EUVDEUVD-2026-37270 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Oracle states HTTP network access (AV:N), low-privileged authenticated attacker (PR:L), difficult to exploit (AC:H), no user interaction, and full takeover of SLA module (C:H/I:H/A:H, S:U).

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:52 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle Subledger Accounting (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows an authenticated low-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the module. Although the CVSS 3.1 base score is 7.5 with high impact across all three pillars, the AC:H rating signals non-trivial exploitation requirements, and there is no public exploit identified at time of analysis.

Technical ContextAI

Oracle Subledger Accounting (SLA) is a rule-based accounting engine within the Oracle E-Business Suite (EBS) 12.2 financial management stack that centralizes journal entry creation for subsidiary ledgers such as Payables, Receivables, and Assets. The vulnerable component is identified as 'Internal Operations,' which typically encompasses backend processing routines exposed through the EBS Oracle Application Server / Forms / OA Framework HTTP tier. No CWE classification was assigned by the reporter (Oracle), so the precise root cause class (e.g., injection, deserialization, authorization bypass) cannot be determined from the available data. The affected CPE is cpe:2.3:a:oracle_corporation:oracle_subledger_accounting, covering EBS 12.2.3 through 12.2.15.

RemediationAI

Apply the patches delivered in Oracle's June 2026 Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspujun2026.html (Patch available per vendor advisory; no exact post-patch version number is published in the available data - consult the CPU's patch matrix for the specific EBS 12.2 RUP/one-off patch ID applicable to your release). Until patching, compensating controls include restricting HTTP access to the Subledger Accounting / Internal Operations endpoints to trusted networks via reverse-proxy ACLs or WAF rules (trade-off: may block legitimate finance integrations), tightening responsibility/menu assignments so the minimum set of EBS users hold privileges that map to Subledger Accounting functions (trade-off: requires role re-mapping and user retesting), and enabling/reviewing FND audit and database auditing on SLA-related schemas to detect anomalous activity (trade-off: increased log volume). Do not expose the EBS HTTP tier directly to the internet.

Share

CVE-2026-46959 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy