Skip to main content

Oracle E-Business Suite CVE-2026-46972

| EUVDEUVD-2026-37282 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

HTTP-reachable EBS web tier (AV:N), Oracle labels easily exploitable (AC:L), requires a low-privileged EBS account (PR:L), no user interaction, and description states full module takeover (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:46 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Outsourced Mfg for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Outsourced Mfg for Discrete Industries. Successful attacks of this vulnerability can result in takeover of Oracle Outsourced Mfg for Discrete Industries. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Full takeover of Oracle Outsourced Mfg for Discrete Industries (component: Internal Operations) is achievable by a low-privileged authenticated attacker over HTTP, per Oracle's June 2026 Critical Patch Update advisory. The CVSS 3.1 base score of 8.8 reflects high impact across confidentiality, integrity, and availability with low attack complexity, though no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EBS account
Delivery
Reach EBS web tier over HTTP
Exploit
Send crafted request to Internal Operations component
Execution
Exploit flaw in Outsourced Mfg module
Persist
Achieve full module takeover
Impact
Read/modify manufacturing and supply-chain data

Vulnerability AssessmentAI

Exploitation Attacker needs (1) network HTTP/HTTPS reachability to the Oracle E-Business Suite web tier hosting the Outsourced Mfg for Discrete Industries module, and (2) a valid low-privileged EBS account (PR:L) with access to the Internal Operations component - typical EBS end-user credentials are sufficient, no admin role required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) makes this a high-priority issue: network-reachable, low complexity, requires only a low-privileged EBS account, no user interaction, and yields full takeover of the module. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any low-privileged Oracle EBS account - for example a contractor or compromised supplier user - sends a crafted HTTP request to the Internal Operations component of the Outsourced Mfg module and takes over the product, gaining the ability to read, modify, and destroy manufacturing and supply-chain data. No user interaction is required, complexity is low, and a single account is sufficient; no public exploit identified at time of analysis, but Oracle explicitly labels it easily exploitable.
Remediation Apply patch available per vendor advisory by installing the fixes bundled in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); exact patch numbers are listed in the CPU's E-Business Suite patch availability matrix and should be applied to all instances on 12.2.3-12.2.15 in line with Oracle's standard adop/ad utility procedures, followed by post-patch validation of the Outsourced Mfg module. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Oracle E-Business Suite versions 12.2.3-12.2.15, confirm manufacturing module deployment status, and determine scope of low-privileged user access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46972 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy