Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Payments. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payments accessible data as well as unauthorized access to critical data or complete access to all Oracle Payments accessible data. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
AnalysisAI
Unauthorized data modification and disclosure in Oracle E-Business Suite (Oracle Payments component, File Transmission) versions 12.2.3 through 12.2.15 allows unauthenticated remote attackers over HTTPS to read, alter, create, or delete all Oracle Payments-accessible data. The flaw carries a CVSS 3.1 base score of 7.4 with high confidentiality and integrity impact but no availability impact, and is rated high attack complexity. No public exploit identified at time of analysis, and it is not currently listed in CISA KEV.
Technical ContextAI
Oracle E-Business Suite (EBS) is a large enterprise resource planning (ERP) platform; the Oracle Payments module handles funds capture and disbursement, and its File Transmission subcomponent is responsible for exchanging payment instruction files with banks and payment processors over network protocols. The CPE 'cpe:2.3:a:oracle_corporation:oracle_payments:*' confirms the Payments product family is in scope, with the description narrowing affected releases to the 12.2.3-12.2.15 branch of EBS. No CWE was assigned by the reporter, but the 'Authentication Bypass' tag combined with PR:N in the CVSS vector implies a flaw in how the File Transmission endpoint validates the identity or authorization of HTTPS clients, allowing operations that should require authenticated, privileged sessions.
RemediationAI
Apply the patches delivered in Oracle's May 2026 Critical Patch Update referenced at https://www.oracle.com/security-alerts/cspumay2026.html (Patch available per vendor advisory; an exact unified fix version is not enumerated in the provided data and should be taken from the CPU's per-version patch matrix for EBS 12.2.3-12.2.15). Until the CPU is deployed, compensating controls include restricting network reachability of the Oracle Payments File Transmission endpoints to known bank/processor IP ranges via firewall or reverse proxy ACLs (side effect: legitimate processor IP changes will require ACL updates), placing EBS behind a WAF with rules that block unauthenticated requests to the File Transmission servlet paths (side effect: may break legitimate file delivery workflows if rules are too broad), and increasing audit logging on Oracle Payments tables to detect anomalous create/update/delete activity. Avoid disabling File Transmission entirely unless your organization does not use Oracle Payments file-based settlement, as it will halt outbound payment file exchange.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33041
GHSA-2f6j-3xh8-jcv7