Skip to main content

Oracle Project Portfolio Analysis CVE-2026-46961

| EUVDEUVD-2026-37272 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Oracle states network HTTP access with a low-privileged account and no user interaction yields full takeover of the module, so AV:N/AC:L/PR:L/UI:N with C:H/I:H/A:H and unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:51 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Project Portfolio Analysis product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Project Portfolio Analysis. Successful attacks of this vulnerability can result in takeover of Oracle Project Portfolio Analysis. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Project Portfolio Analysis (E-Business Suite component Internal Operations) versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the module over HTTP. Oracle's June 2026 Critical Patch Update rates the issue 8.8 with high confidentiality, integrity, and availability impacts, and the CVSS vector flags it as easily exploitable; no public exploit identified at time of analysis and the issue is not on CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-priv EBS account
Delivery
Reach EBS web tier over HTTP
Exploit
Authenticate to Project Portfolio Analysis
Execution
Send crafted Internal Operations request
Persist
Exploit authorization/injection flaw
Impact
Take over Project Portfolio Analysis module

Vulnerability AssessmentAI

Exploitation Attacker must possess valid credentials for any low-privileged Oracle E-Business Suite 12.2 account that can authenticate to the Project Portfolio Analysis module's Internal Operations component over HTTP/HTTPS, and must have network reachability to the EBS web tier (Oracle HTTP Server / WebLogic forms or OA Framework URLs). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine priority for any EBS 12.2 operator: CVSS 8.8 with AV:N/AC:L/PR:L/UI:N means a single low-privileged EBS account (any self-service or named portfolio user) can fully take over the module over HTTP, and EBS web tiers are frequently reachable from intranet or partner networks. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has phished or otherwise obtained any low-privileged Oracle EBS account logs into the Project Portfolio Analysis self-service interface and sends a crafted HTTP request to an Internal Operations endpoint. Because no user interaction is required and complexity is low, a single request chain elevates the attacker to full read/write/destroy control of the module, enabling manipulation of project financial data or use of the module as a pivot into the wider EBS stack. …
Remediation Patch available per vendor advisory: apply the Oracle Critical Patch Update of June 2026 for Oracle E-Business Suite 12.2 as described at https://www.oracle.com/security-alerts/cspujun2026.html - Oracle does not publish per-CVE point versions, so install the CPU bundle covering Project Portfolio Analysis on all 12.2.3-12.2.15 environments. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems running Oracle PPA 12.2.3-12.2.15 in production and test environments; restrict HTTP access to PPA modules to administrative personnel only via firewall rules; audit current user privilege assignments in affected instances. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46961 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy