Skip to main content

Oracle Cost Management EUVDEUVD-2026-37245

| CVE-2026-46929 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable EBS HTTP tier (AV:N), low complexity per Oracle (AC:L), requires any valid EBS user (PR:L), no interaction (UI:N), and Oracle states full module takeover yielding C:H/I:H/A:H within the same scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:06 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Cost Management (E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker to fully compromise the Cost Planning component over HTTP. The flaw yields high confidentiality, integrity, and availability impact with no user interaction required, and is addressed in Oracle's June 2026 Critical Patch Update. No public exploit identified at time of analysis, but the low-complexity, network-accessible nature warrants priority patching by EBS operators.

Technical ContextAI

Oracle Cost Management is a module of Oracle E-Business Suite (EBS) that handles cost planning, accounting, and rollups for manufacturing and supply chain workflows. The affected Cost Planning component is exposed via the EBS HTTP/Oracle Application Framework tier, which authenticates EBS users and routes requests to backend PL/SQL and Java business logic. Because CWE is not assigned and Oracle's advisory text is intentionally sparse, the underlying weakness class is undisclosed, but the CVSS profile (AV:N/AC:L/PR:L/UI:N, S:U, C:H/I:H/A:H) is characteristic of authenticated-user injection or authorization-bypass flaws - common patterns in EBS modules where a legitimate self-service account can reach privileged business functions or inject content/queries that escalate within the same module.

RemediationAI

Apply the fixes shipped in Oracle's Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) for Oracle E-Business Suite 12.2.3-12.2.15; Oracle delivers EBS fixes as cumulative patch sets through My Oracle Support, so install the CPU-aligned patch for your exact 12.2.x level rather than waiting for a point release. Until the CPU can be deployed, reduce exposure by restricting network reachability of the EBS Cost Management URLs (typically /OA_HTML/ pages bound to the OA Framework function for Cost Planning) to trusted internal users through the EBS URL firewall / allowlist and the reverse proxy or WAF in front of the application tier, and audit and tighten EBS responsibilities so that broadly-issued user accounts do not carry Cost Management responsibilities - accepting that this will break legitimate Cost Planning workflows for users whose access you remove. Rotate credentials and review FND_LOGINS / sign-on audit logs for any anomalous access to Cost Management functions before patching, since a low-privileged credential is the only prerequisite for exploitation.

Share

EUVD-2026-37245 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy