Skip to main content

Oracle E-Business Suite CVE-2026-46973

| EUVDEUVD-2026-37283 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Oracle states HTTP-reachable, easily exploitable by a low-privileged attacker with no user interaction, resulting in full module takeover, so AV:N/AC:L/PR:L/UI:N and C:H/I:H/A:H within unchanged scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:45 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Outsourced Mfg for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Outsourced Mfg for Discrete Industries. Successful attacks of this vulnerability can result in takeover of Oracle Outsourced Mfg for Discrete Industries. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Outsourced Mfg for Discrete Industries (component: Internal Operations) within Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged remote attacker to fully compromise the module over HTTP. With CVSS 3.1 base score 8.8 and high impact on confidentiality, integrity, and availability, this is a high-priority patching item, though no public exploit identified at time of analysis and it is not currently listed in CISA KEV.

Technical ContextAI

Oracle E-Business Suite is a large integrated ERP/CRM/SCM platform; the Outsourced Mfg for Discrete Industries module supports contract manufacturing workflows within the Internal Operations component. The affected stack is the EBS 12.2 application tier, which runs on Oracle Application Server / WebLogic with Java/PL-SQL business logic exposed via HTTP servlets and OA Framework pages. No CWE was assigned by Oracle in the advisory, so the precise root cause class (e.g., improper authorization, deserialization, or SQL injection) is not disclosed, but the CVSS vector and 'takeover of the module' impact language are consistent with an authorization or input-handling flaw reachable through an authenticated HTTP request to the module.

RemediationAI

Patch available per vendor advisory: apply the fixes shipped in the Oracle Critical Patch Update June 2026 (CPUJUN2026) for Oracle E-Business Suite 12.2.3-12.2.15 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; exact patch numbers and prerequisite bundle patches should be taken from the Oracle CPU advisory and My Oracle Support notes referenced therein. Until the CPU is applied, restrict network reachability of the EBS application tier so that the Outsourced Mfg for Discrete Industries pages are only accessible from trusted internal networks or via VPN, tighten EBS responsibility/menu assignments so that ordinary functional users do not have access to Internal Operations or Outsourced Manufacturing responsibilities, and enable URL firewall / DMZ allowlisting in EBS to drop unexpected module URLs at the web tier (note this can break legitimate integrations and self-service flows, so test in a clone first). Increase monitoring on FND_LOGINS, FND_UNSUCCESSFUL_LOGINS, and Apache access logs for anomalous requests to OutsourcedMfg / Internal Operations endpoints in the interim.

Share

CVE-2026-46973 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy