Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable EBS HTTP tier (AV:N), low complexity per Oracle (AC:L), requires any valid EBS user (PR:L), no interaction (UI:N), and Oracle states full module takeover yielding C:H/I:H/A:H within the same scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Account takeover in Oracle Cost Management (E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Cost Planning component over HTTP. The flaw yields high confidentiality, integrity, and availability impact with no user interaction required, and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the low-complexity, network-accessible nature warrants priority patching by EBS operators.
Technical ContextAI
Oracle Cost Management is a module of Oracle E-Business Suite (EBS) that handles cost planning, accounting, and rollups for manufacturing and supply chain workflows. The affected Cost Planning component is exposed via the EBS HTTP/Oracle Application Framework tier, which authenticates EBS users and routes requests to backend PL/SQL and Java business logic. Because CWE is not assigned and Oracle's advisory text is intentionally sparse, the underlying weakness class is undisclosed, but the CVSS profile (AV:N/AC:L/PR:L/UI:N, S:U, C:H/I:H/A:H) is characteristic of authenticated-user injection or authorization-bypass flaws - common patterns in EBS modules where a legitimate self-service account can reach privileged business functions or inject content/queries that escalate within the same module.
RemediationAI
Apply the fixes shipped in Oracle's Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for Oracle E-Business Suite 12.2.3-12.2.15; Oracle delivers EBS fixes as cumulative patch sets through My Oracle Support, so install the CPU-aligned patch for your exact 12.2.x level rather than waiting for a point release. Until the CPU can be deployed, reduce exposure by restricting network reachability of the EBS Cost Management URLs (typically /OA_HTML/ pages bound to the OA Framework function for Cost Planning) to trusted internal users through the EBS URL firewall / allowlist and the reverse proxy or WAF in front of the application tier, and audit and tighten EBS responsibilities so that broadly-issued user accounts do not carry Cost Management responsibilities - accepting that this will break legitimate Cost Planning workflows for users whose access you remove. Rotate credentials and review FND_LOGINS / sign-on audit logs for any anomalous access to Cost Management functions before patching, since a low-privileged credential is the only prerequisite for exploitation.
More in Oracle Cost Management
View allRemote takeover of Oracle Cost Management (component: Cost Planning) within Oracle E-Business Suite versions 12.2.3 thro
Full compromise of Oracle Cost Management (component: Cost Planning) in Oracle E-Business Suite versions 12.2.3 through
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37245