Skip to main content

Oracle E-Business Suite EUVDEUVD-2026-37243

| CVE-2026-46927 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

SOAP endpoint is network-reachable (AV:N) with no auth or user interaction (PR:N/UI:N); Oracle's AC:H reflects non-trivial conditions; description states full takeover (C:H/I:H/A:H).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:07 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Receivables product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SOAP to compromise Oracle Receivables. Successful attacks of this vulnerability can result in takeover of Oracle Receivables. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Remote takeover of Oracle Receivables in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by unauthenticated attackers reaching the SOAP interface of the Internal Operations component. Oracle's CVSS 3.1 score of 8.1 reflects full confidentiality, integrity, and availability impact, though high attack complexity (AC:H) tempers the practical risk. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed EBS SOAP endpoint
Delivery
Craft malicious SOAP request to Internal Operations
Exploit
Bypass complexity conditions (AC:H)
Execution
Trigger flaw in Receivables handler
Persist
Achieve full Receivables takeover
Impact
Exfiltrate financial data and tamper with records

Vulnerability AssessmentAI

Exploitation The attacker must be able to reach the Oracle E-Business Suite SOAP web service endpoint exposed by the Internal Operations component of Oracle Receivables on a running EBS 12.2.3-12.2.15 instance - in practice this means network access to the EBS web/application tier (often via the Integrated SOA Gateway). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals point in different directions and should be weighed together. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network reach to the EBS web tier (internal LAN, VPN, or an internet-exposed SOA Gateway) sends a specially crafted SOAP request to a Receivables Internal Operations endpoint without authenticating. By satisfying the specific conditions required by the flaw (reflected in AC:H), the request results in full compromise of the Receivables module, exposing customer financial data, allowing tampering with invoices and balances, and enabling denial of service. …
Remediation Apply the patches in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html), which is the authoritative fix referenced by the advisory; the input does not provide an exact patch-set bundle number, so consult that CPU matrix for the precise Oracle Receivables 12.2.x patch that corresponds to your installed version. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Oracle E-Business Suite instances running versions 12.2.3-12.2.15 and assess network exposure to the SOAP interface. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37243 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy