Skip to main content

Oracle E-Business Suite CVE-2026-46967

| EUVDEUVD-2026-37278 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

HTTP-reachable EBS module exploitable by any authenticated low-privileged user (PR:L) with no interaction or complexity, yielding full module takeover (C/I/A:H), scope unchanged within EBS.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:48 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Public Sector Financials (International). Successful attacks of this vulnerability can result in takeover of Oracle Public Sector Financials (International). CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Authorization flaw in Oracle Public Sector Financials (International) versions 12.2.3 through 12.2.15 enables low-privileged authenticated attackers with HTTP network access to fully take over the affected component. Oracle's Critical Patch Update describes the issue as easily exploitable with high impact to confidentiality, integrity, and availability (CVSS 8.8). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EBS account
Delivery
Reach EBS HTTP application tier
Exploit
Send crafted request to Public Sector Financials (International) endpoint
Execution
Bypass authorization check
Persist
Execute privileged module operations
Impact
Full takeover of Public Sector Financials data

Vulnerability AssessmentAI

Exploitation Requires (1) a reachable HTTP/HTTPS endpoint of an Oracle E-Business Suite 12.2.3-12.2.15 instance with the Public Sector Financials (International) localization module deployed and enabled, and (2) valid credentials for any low-privileged EBS account (PR:L) - anonymous exploitation is not in scope per the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The combined signals point to a high real-world priority for any organization running Oracle EBS 12.2 with this module enabled. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or registered any low-privileged EBS account - for example, a self-service user, a former contractor, or a phished employee - sends crafted HTTP requests to the Public Sector Financials (International) module endpoints and bypasses authorization checks to perform privileged operations, ultimately gaining full takeover of the module's data and workflows. Because Oracle rates the issue as easily exploitable with AC:L and no user interaction, repeatable exploitation against an exposed instance is realistic once the patch is reverse-engineered, even though no public exploit identified at time of analysis.
Remediation Apply the Oracle Critical Patch Update referenced in the June 2026 advisory at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle's CPU bundles the fix for CVE-2026-46967 across the 12.2.3-12.2.15 supported branches and specific patch numbers must be retrieved from My Oracle Support for the deployed version (exact patched build identifier not independently confirmed beyond the CPU advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and inventory all systems running Oracle Public Sector Financials versions 12.2.3-12.2.15; document current network exposure and user access patterns. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46967 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy