Skip to main content

Oracle E-Business Suite EUVDEUVD-2026-33041

| CVE-2026-46818 HIGH
Improper Access Control (CWE-284)
2026-05-28 oracle GHSA-2f6j-3xh8-jcv7
7.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:27 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Payments. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payments accessible data as well as unauthorized access to critical data or complete access to all Oracle Payments accessible data. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Unauthorized data modification and disclosure in Oracle E-Business Suite (Oracle Payments component, File Transmission) versions 12.2.3 through 12.2.15 allows unauthenticated remote attackers over HTTPS to read, alter, create, or delete all Oracle Payments-accessible data. The flaw carries a CVSS 3.1 base score of 7.4 with high confidentiality and integrity impact but no availability impact, and is rated high attack complexity. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.

Technical ContextAI

Oracle E-Business Suite (EBS) is a large enterprise resource planning (ERP) platform; the Oracle Payments module handles funds capture and disbursement, and its File Transmission subcomponent is responsible for exchanging payment instruction files with banks and payment processors over network protocols. The CPE 'cpe:2.3:a:oracle_corporation:oracle_payments:*' confirms the Payments product family is in scope, with the description narrowing affected releases to the 12.2.3-12.2.15 branch of EBS. No CWE was assigned by the reporter, but the 'Authentication Bypass' tag combined with PR:N in the CVSS vector implies a flaw in how the File Transmission endpoint validates the identity or authorization of HTTPS clients, allowing operations that should require authenticated, privileged sessions.

RemediationAI

Apply the patches delivered in Oracle's May 2026 Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspumay2026.html (Patch available per vendor advisory; an exact unified fix version is not enumerated in the provided data and should be taken from the CPU's per-version patch matrix for EBS 12.2.3-12.2.15). Until the CPU is deployed, compensating controls include restricting network reachability of the Oracle Payments File Transmission endpoints to known bank/processor IP ranges via firewall or reverse proxy ACLs (side effect: legitimate processor IP changes will require ACL updates), placing EBS behind a WAF with rules that block unauthenticated requests to the File Transmission servlet paths (side effect: may break legitimate file delivery workflows if rules are too broad), and increasing audit logging on Oracle Payments tables to detect anomalous create/update/delete activity. Avoid disabling File Transmission entirely unless your organization does not use Oracle Payments file-based settlement, as it will halt outbound payment file exchange.

Share

EUVD-2026-33041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy