Skip to main content

Oracle E-Business Suite EUVDEUVD-2026-37235

| CVE-2026-46916 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network HTTP access with a low-privileged EBS account (PR:L), no user interaction, low complexity, and Oracle states full takeover of the OPM module yielding High C/I/A; scope unchanged as impact stays within EBS.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:11 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Process Manufacturing Product Development product of Oracle E-Business Suite (component: Quality Management Specs). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Process Manufacturing Product Development. Successful attacks of this vulnerability can result in takeover of Oracle Process Manufacturing Product Development. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover of Oracle Process Manufacturing Product Development (versions 12.2.3-12.2.15) is achievable by a low-privileged remote attacker over HTTP via the Quality Management Specs component. The flaw scores CVSS 8.8 with full confidentiality, integrity, and availability impact, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Technical ContextAI

The vulnerability resides in the Quality Management Specs component of Oracle Process Manufacturing (OPM) Product Development, an Oracle E-Business Suite (EBS) 12.2 module used by process manufacturers to manage formulas, recipes, and quality specifications. Affected deployments run on the Oracle EBS 12.2 application tier (Oracle WebLogic / Oracle HTTP Server front-end with the OAF/Forms layer), where the OPM module exposes HTTP endpoints reachable by authenticated EBS users. The CPE confirms the affected product as oracle_process_manufacturing_product_development across all listed versions. No CWE was assigned by Oracle, but the combination of low-privilege HTTP access leading to full product takeover is consistent with an authorization or input-handling weakness in an OPM Quality Management Specs servlet/page that fails to properly restrict actions available to ordinary EBS application accounts.

RemediationAI

Apply the fixes shipped in Oracle's June 2026 Critical Patch Update as referenced at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle does not publish a single fix version for OPM, so install the CPUJUN2026 patchset matching your EBS 12.2 release level (12.2.3 through 12.2.15) via AutoConfig/adop. Patch available per vendor advisory - no independent fix-version string was disclosed in the public data. If patching must be deferred, restrict network reachability of the OPM Quality Management Specs URLs (e.g., via Oracle HTTP Server mod_rewrite/URL firewall rules or a reverse proxy ACL), tighten EBS responsibility assignments so that ordinary users cannot reach OPM Product Development menus, and monitor FND_LOGINS / OAM audit logs for anomalous access to OPM functions; note that URL-level blocks can break legitimate OPM quality workflows and responsibility tightening can disrupt downstream manufacturing users.

Share

EUVD-2026-37235 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy