Skip to main content

Oracle iAssets EUVDEUVD-2026-33045

| CVE-2026-46822 CRITICAL
Improper Access Control (CWE-284)
2026-05-28 oracle GHSA-mcf7-2r26-r689
9.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:25 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iAssets. While the vulnerability is in Oracle iAssets, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iAssets. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle iAssets (part of Oracle E-Business Suite versions 12.2.3 through 12.2.15) allows a low-privileged attacker with HTTP network access to fully compromise the iAssets component and pivot into adjacent products via a scope change. The 9.9 CVSS score reflects high impact on confidentiality, integrity, and availability combined with low attack complexity; no public exploit identified at time of analysis, but Oracle's inclusion in the May 2026 Critical Patch Update warrants immediate attention.

Technical ContextAI

Oracle iAssets is a module within Oracle E-Business Suite (EBS) under the Internal Operations component, used by organizations to manage internal asset tracking and lifecycle workflows. The affected CPE (cpe:2.3:a:oracle_corporation:oracle_iassets) spans the 12.2.x EBS release family. Oracle did not publish a CWE classification for this issue, but the combination of network attack vector over HTTP, low-privilege precondition, and a scope-changing impact is consistent with web-tier authorization or injection flaws in EBS's Oracle Application Framework (OAF) servlets, where a logged-in EBS user can manipulate iAssets endpoints to act beyond their permitted module boundary.

RemediationAI

Patch available per vendor advisory: apply the relevant fix from the Oracle Critical Patch Update - May 2026 (https://www.oracle.com/security-alerts/cspumay2026.html), which covers each supported 12.2.x release; specific patched build numbers are listed in the CPU patch availability matrix and should be retrieved from My Oracle Support before scheduling the outage window. As compensating controls until patching, restrict network reachability of the EBS web tier so that iAssets URLs (typically under /OA_HTML/ paths invoking OA.jsp and iAssets-specific functions) are not reachable from untrusted networks, place the EBS frontend behind a WAF with rules blocking anomalous OAF parameters, and tighten EBS responsibility/menu assignments so fewer accounts hold iAssets responsibilities - recognising these reduce attack surface but do not eliminate risk for insiders or compromised low-privilege accounts.

Share

EUVD-2026-33045 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy