Skip to main content

Oracle E-Business Suite EUVDEUVD-2026-37246

| CVE-2026-46930 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.1 CRITICAL

Oracle states unauthenticated HTTPS exploitation is easy (AV:N, AC:L, PR:N, UI:N) with full data read/write but no service crash, so C:H/I:H/A:N and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:05 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle In-Memory Cost Management for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.12-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle In-Memory Cost Management for Discrete Industries. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle In-Memory Cost Management for Discrete Industries accessible data as well as unauthorized access to critical data or complete access to all Oracle In-Memory Cost Management for Discrete Industries accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Remote unauthenticated compromise of Oracle In-Memory Cost Management for Discrete Industries (Oracle E-Business Suite versions 12.2.12 through 12.2.15) allows network-based attackers to read, modify, create, or delete all data accessible to the product via HTTPS. The flaw carries a CVSS 3.1 base score of 9.1 with high confidentiality and integrity impact but no availability impact, and no public exploit has been identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update advisory cspujun2026.

Technical ContextAI

The affected component is the Internal Operations module of Oracle In-Memory Cost Management for Discrete Industries, an analytical costing application that runs on the Oracle E-Business Suite 12.2 application tier (typically fronted by Oracle HTTP Server / WebLogic and backed by an Oracle Database). The CPE cpe:2.3:a:oracle_corporation:oracle_in-memory_cost_management_for_discrete_industries identifies the specific EBS product. Oracle did not publish a CWE, but the combination of CVSS AV:N/AC:L/PR:N/UI:N with high confidentiality and integrity impact and the 'Authentication Bypass' tag is consistent with a missing-authentication or broken-access-control class flaw (CWE-287/CWE-862-style) reachable over the HTTPS interface exposed by the EBS application servlets.

RemediationAI

Apply the patch available per the Oracle Critical Patch Update Advisory of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to Oracle E-Business Suite 12.2.12-12.2.15 - Oracle has not published an independent fix version outside the CPU bundle, so install the CPU-aligned patch set for your 12.2.x level rather than waiting for an out-of-band release. Until the CPU is applied, restrict network reachability of the In-Memory Cost Management for Discrete Industries servlets by placing the EBS application tier behind a VPN or IP allow-list, terminating untrusted HTTPS at a reverse proxy that blocks the Internal Operations URL paths, and disabling external access to the affected module through Oracle URL Firewall / DMZ configuration (trade-off: legitimate remote users of that module will lose access until patched). Increase WAF/IDS logging on the EBS HTTPS endpoints to detect anomalous unauthenticated requests against Cost Management URLs, and review audit logs for unexpected creation, modification, or deletion of costing data given the integrity impact.

Share

EUVD-2026-37246 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy