Skip to main content

Oracle HR Intelligence EUVDEUVD-2026-37240

| CVE-2026-46922 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
7.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable HTTP endpoint with low complexity, but requires a high-privilege EBS account (PR:H) and no user interaction; full takeover yields C:H/I:H/A:H, scope unchanged.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:09 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle HR Intelligence product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle HR Intelligence. Successful attacks of this vulnerability can result in takeover of Oracle HR Intelligence. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Full compromise of Oracle HR Intelligence (component: Internal Operations) in Oracle E-Business Suite 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged user over the network via HTTP, leading to takeover of the HR Intelligence module with full confidentiality, integrity, and availability impact. The flaw was reported by Oracle and disclosed in the June 2026 Critical Patch Update; there is no public exploit identified at time of analysis and the issue is not on CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privilege EBS account
Delivery
Reach HR Intelligence HTTP endpoint
Exploit
Invoke Internal Operations function
Execution
Abuse privileged operation
Persist
Take over HR Intelligence module
Impact
Exfiltrate or tamper with HR data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session on Oracle E-Business Suite with a high-privilege role that can reach the HR Intelligence 'Internal Operations' component over HTTP, and the target EBS deployment must be running HR Intelligence at version 12.2.3 through 12.2.15. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals point to a moderately high real-world risk but not a fire-drill: CVSS 3.1 is 7.2 with AV:N/AC:L/PR:H/UI:N and full C/I/A, so once an attacker holds a high-privilege EBS account the takeover path is straightforward and reliable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been issued a high-privilege Oracle EBS account - for example a compromised HR administrator, an over-privileged integration service account, or a malicious insider - sends crafted HTTP requests to the HR Intelligence Internal Operations endpoints from anywhere the EBS mid-tier is reachable. Because attack complexity is low and no user interaction is required, the attacker reliably takes over the HR Intelligence module, reading or altering sensitive HR data and disrupting reporting. …
Remediation Apply the Oracle Critical Patch Update of June 2026 for Oracle E-Business Suite as documented at https://www.oracle.com/security-alerts/cspujun2026.html; the input does not name a specific patched build, so this is best described as patch available per vendor advisory and administrators should consult the CPU matrix for the exact EBS 12.2 patch bundle covering HR Intelligence. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify and audit all high-privilege accounts accessing HR Intelligence; review recent access logs for anomalous activity. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37240 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy