Skip to main content

Oracle HR Intelligence CVE-2026-46971

| EUVDEUVD-2026-37281 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

HTTP-reachable EBS module (AV:N), needs valid low-priv EBS account (PR:L), Oracle states exploitation is difficult (AC:H), no UI, full module takeover gives C/I/A:H within same scope.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:46 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle HR Intelligence product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle HR Intelligence. Successful attacks of this vulnerability can result in takeover of Oracle HR Intelligence. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Full compromise of Oracle HR Intelligence (a module of Oracle E-Business Suite) is possible for an authenticated low-privileged attacker who can reach the Internal Operations component over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw affects EBS versions 12.2.3 through 12.2.15 and yields high impact across confidentiality, integrity, and availability, though Oracle rates exploitation as difficult (AC:H). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege EBS account
Delivery
Reach HR Intelligence HTTP endpoint
Exploit
Send crafted Internal Operations request
Execution
Trigger difficult-to-exploit flaw
Persist
Take over HR Intelligence module
Impact
Exfiltrate/tamper HR data

Vulnerability AssessmentAI

Exploitation Attacker must have network reachability to the Oracle E-Business Suite HTTP tier and a valid low-privileged EBS account (PR:L) on an installation running HR Intelligence on EBS 12.2.3 through 12.2.15 with the Internal Operations component enabled; no user interaction is required (UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.5 is driven by full C/I/A impact (H/H/H) and network reach (AV:N), but is tempered by AC:H and PR:L, meaning the attacker must already hold a low-privilege EBS account and overcome non-trivial exploitation conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has phished or otherwise obtained a low-privilege Oracle EBS account (for example, an employee self-service login) sends crafted HTTP requests to the HR Intelligence Internal Operations endpoints exposed by the EBS application server. By chaining the difficult-to-trigger flaw, the attacker escalates within the HR Intelligence module and exfiltrates or tampers with sensitive employee records and HR analytics. …
Remediation Apply the Oracle E-Business Suite patches bundled in the June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); Oracle ships HR Intelligence fixes as part of the standard EBS 12.2 patchset for versions 12.2.3 through 12.2.15, and Patch available per vendor advisory with no separate fix version number disclosed. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all Oracle EBS 12.2.3-12.2.15 deployments and document systems with HR Intelligence enabled; immediately restrict network access to the Internal Operations component to authorized IP ranges only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46971 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy