Skip to main content

Oracle E-Business Suite CVE-2026-46976

| EUVDEUVD-2026-37285 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
7.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

HTTP-reachable EBS module (AV:N), described as easily exploitable (AC:L), requires a high-privileged EBS account (PR:H), no user interaction, and results in full module takeover (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:44 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Public Sector Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Public Sector Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Public Sector Payroll. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Full takeover of Oracle Public Sector Payroll (E-Business Suite 12.2.3-12.2.15) is possible by a high-privileged, network-adjacent attacker exploiting a flaw in the Internal Operations component, with confidentiality, integrity, and availability all fully impacted. Oracle's June 2026 Critical Patch Update describes the issue as easily exploitable over HTTP once privileges are held, and no public exploit identified at time of analysis. CVSS 3.1 base score is 7.2.

Technical ContextAI

The affected technology is Oracle E-Business Suite (EBS), Oracle's flagship on-premises ERP platform, specifically the Public Sector Payroll module within the Internal Operations component. EBS 12.2.x is a multi-tier J2EE/Forms application typically fronted by Oracle HTTP Server and backed by an Oracle Database, where modules expose business logic through HTTP-driven servlets, OAF pages, and PL/SQL APIs. No CWE is supplied by Oracle (consistent with the vendor's standard CPU disclosure practice), but the combination of HTTP attack vector and high-privilege precondition leading to full module takeover is typical of authenticated injection or insecure deserialization/PLSQL-API exposure issues in EBS modules.

RemediationAI

Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; patch available per vendor advisory, but no single exact patched build number is reproduced in the input, so administrators should consult the CPU patch matrix to identify the correct EBS 12.2 RPC/AD-TXK and Public Sector Payroll patch IDs for their version. Until the CPU is applied, compensating controls include tightly restricting which EBS responsibilities grant Public Sector Payroll Internal Operations privileges, auditing and reducing accounts that already hold those high-privilege roles, putting the EBS internal URLs behind network ACLs so only HR/payroll administrator workstations can reach them (side effect: legitimate remote admins lose direct access and must use a jump host), and enabling EBS auditing/FND audit trail on Internal Operations forms and APIs to detect abuse (side effect: increased audit volume and storage). Do not disable Public Sector Payroll outright unless the module is unused, as that breaks payroll processing.

Share

CVE-2026-46976 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy