Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network HTTP access with a low-privileged EBS account (PR:L), no user interaction, low complexity, and Oracle states full takeover of the OPM module yielding High C/I/A; scope unchanged as impact stays within EBS.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Process Manufacturing Product Development product of Oracle E-Business Suite (component: Quality Management Specs). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Process Manufacturing Product Development. Successful attacks of this vulnerability can result in takeover of Oracle Process Manufacturing Product Development. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover of Oracle Process Manufacturing Product Development (versions 12.2.3-12.2.15) is achievable by a low-privileged remote attacker over HTTP via the Quality Management Specs component. The flaw scores CVSS 8.8 with full confidentiality, integrity, and availability impact, and Oracle classifies it as easily exploitable; no public exploit identified at time of analysis and it is not listed in CISA KEV.
Technical ContextAI
The vulnerability resides in the Quality Management Specs component of Oracle Process Manufacturing (OPM) Product Development, an Oracle E-Business Suite (EBS) 12.2 module used by process manufacturers to manage formulas, recipes, and quality specifications. Affected deployments run on the Oracle EBS 12.2 application tier (Oracle WebLogic / Oracle HTTP Server front-end with the OAF/Forms layer), where the OPM module exposes HTTP endpoints reachable by authenticated EBS users. The CPE confirms the affected product as oracle_process_manufacturing_product_development across all listed versions. No CWE was assigned by Oracle, but the combination of low-privilege HTTP access leading to full product takeover is consistent with an authorization or input-handling weakness in an OPM Quality Management Specs servlet/page that fails to properly restrict actions available to ordinary EBS application accounts.
RemediationAI
Apply the fixes shipped in Oracle's June 2026 Critical Patch Update as referenced at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle does not publish a single fix version for OPM, so install the CPUJUN2026 patchset matching your EBS 12.2 release level (12.2.3 through 12.2.15) via AutoConfig/adop. Patch available per vendor advisory - no independent fix-version string was disclosed in the public data. If patching must be deferred, restrict network reachability of the OPM Quality Management Specs URLs (e.g., via Oracle HTTP Server mod_rewrite/URL firewall rules or a reverse proxy ACL), tighten EBS responsibility assignments so that ordinary users cannot reach OPM Product Development menus, and monitor FND_LOGINS / OAM audit logs for anomalous access to OPM functions; note that URL-level blocks can break legitimate OPM quality workflows and responsibility tightening can disrupt downstream manufacturing users.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37235