Skip to main content

Oracle Payroll EUVDEUVD-2026-33050

| CVE-2026-46828 HIGH
Improper Access Control (CWE-284)
2026-05-28 oracle GHSA-r6ff-f8fv-xc96
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 21:23 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Payroll. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payroll accessible data as well as unauthorized access to critical data or complete access to all Oracle Payroll accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Unauthorized data access and modification in Oracle Payroll (a module of Oracle E-Business Suite) versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker with HTTP network access to read, create, delete, or modify any data accessible to the Oracle Payroll application. The flaw carries a CVSS 8.1 due to high confidentiality and integrity impact with low attack complexity, but no public exploit identified at time of analysis and it is not listed in CISA KEV. The advisory was published as part of Oracle's Critical Patch Update cycle (CPU May 2026).

Technical ContextAI

Oracle Payroll is a human-capital-management module within Oracle E-Business Suite (EBS), a large enterprise application suite that exposes web-based functionality via the Oracle HTTP Server/Apache stack and the EBS Internal Operations component identified in the advisory. Per the CPE (cpe:2.3:a:oracle_corporation:oracle_payroll), the vulnerable code lives in the Payroll application itself rather than the underlying database or middleware. No CWE was assigned by Oracle (consistent with Oracle's typical CPU disclosure practice), but the impact pattern - read plus write access to data accessible to the application without availability impact - combined with the 'Authentication Bypass' tag suggests broken access control or authorization logic in a Payroll HTTP endpoint, where an authenticated low-privilege EBS user can reach functions or records that should be restricted to higher-privileged Payroll roles.

RemediationAI

Apply the Oracle Critical Patch Update for May 2026 as documented at https://www.oracle.com/security-alerts/cspumay2026.html, which is the vendor-released patch covering Oracle E-Business Suite 12.2.3 through 12.2.15; Oracle distributes the fix as patchset bundles applied via adop, so coordinate downtime and a fresh EBS backup before patching. If the CPU cannot be applied immediately, restrict reachability to the Payroll Internal Operations endpoints by enforcing network ACLs or WAF rules so that only the HR/Payroll user population - not all authenticated EBS users - can reach those URLs (this may break self-service flows that legitimately traverse shared code, so test in a clone first), and audit EBS role assignments to minimize the population holding any low-privilege Payroll-adjacent responsibility. Increase monitoring on Payroll module FND logs and database audit trails for anomalous read/write activity against payroll tables until the patch is in place.

Share

EUVD-2026-33050 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy