Skip to main content

Oracle E-Business Suite CVE-2026-46969

| EUVDEUVD-2026-37279 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
7.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

HTTP-reachable EBS endpoint (AV:N/AC:L), requires high-privileged Financials for EMEA account (PR:H), no user interaction, results in full module takeover (C:H/I:H/A:H), no scope change.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:47 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Financials for EMEA product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Financials for EMEA. Successful attacks of this vulnerability can result in takeover of Oracle Financials for EMEA. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Privileged takeover of Oracle Financials for EMEA (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows an authenticated high-privileged attacker with HTTP network access to fully compromise confidentiality, integrity, and availability of the module. The CVSS 3.1 base score is 7.2 with vector AV:N/AC:L/PR:H/UI:N, and there is no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privileged EBS account
Delivery
Reach EBS HTTP application tier
Exploit
Send crafted request to Financials EMEA Internal Operations
Execution
Trigger vulnerable logic
Persist
Take over Financials for EMEA module
Impact
Read or tamper with financial data

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network HTTP reachability to the Oracle E-Business Suite application tier hosting the Oracle Financials for EMEA Internal Operations component, and (2) a valid high-privileged account within Oracle Financials for EMEA (PR:H in the CVSS vector) - typically a functional administrator or equivalent role with access to Internal Operations responsibilities. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H yields 7.2 (High), driven by full CIA impact but tempered by the PR:H requirement - the attacker must already hold high privileges within Oracle Financials for EMEA, which significantly narrows the realistic threat population to insiders or attackers who have already chained another flaw to obtain a privileged EBS account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been granted a high-privileged Oracle Financials for EMEA account - for example a malicious insider, a contractor whose access was not revoked, or an external attacker who first phished a finance administrator - sends crafted HTTP requests to the Internal Operations component of the EBS application tier. Successful exploitation results in full takeover of the Financials for EMEA module, allowing the attacker to read, alter, or destroy financial records and supporting operational data. …
Remediation Apply the fixes delivered in the Oracle June 2026 Critical Patch Update as documented at https://www.oracle.com/security-alerts/cspujun2026.html - Patch available per vendor advisory; a specific patched build number was not provided in the supplied intelligence, so consult the CPU matrix for the exact patch ID matching your 12.2.x release. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all high-privilege user accounts with access to Oracle E-Business Suite 12.2.3-12.2.15 and review administrative activity logs for anomalies. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46969 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy