Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Oracle states unauthenticated HTTPS exploitation is easy (AV:N, AC:L, PR:N, UI:N) with full data read/write but no service crash, so C:H/I:H/A:N and unchanged scope.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle In-Memory Cost Management for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.12-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle In-Memory Cost Management for Discrete Industries. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle In-Memory Cost Management for Discrete Industries accessible data as well as unauthorized access to critical data or complete access to all Oracle In-Memory Cost Management for Discrete Industries accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
AnalysisAI
Remote unauthenticated compromise of Oracle In-Memory Cost Management for Discrete Industries (Oracle E-Business Suite versions 12.2.12 through 12.2.15) allows network-based attackers to read, modify, create, or delete all data accessible to the product via HTTPS. The flaw carries a CVSS 3.1 base score of 9.1 with high confidentiality and integrity impact but no availability impact, and no public exploit has been identified at time of analysis. Oracle disclosed the issue in the June 2026 Critical Patch Update advisory cspujun2026.
Technical ContextAI
The affected component is the Internal Operations module of Oracle In-Memory Cost Management for Discrete Industries, an analytical costing application that runs on the Oracle E-Business Suite 12.2 application tier (typically fronted by Oracle HTTP Server / WebLogic and backed by an Oracle Database). The CPE cpe:2.3:a:oracle_corporation:oracle_in-memory_cost_management_for_discrete_industries identifies the specific EBS product. Oracle did not publish a CWE, but the combination of CVSS AV:N/AC:L/PR:N/UI:N with high confidentiality and integrity impact and the 'Authentication Bypass' tag is consistent with a missing-authentication or broken-access-control class flaw (CWE-287/CWE-862-style) reachable over the HTTPS interface exposed by the EBS application servlets.
RemediationAI
Apply the patch available per the Oracle Critical Patch Update Advisory of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to Oracle E-Business Suite 12.2.12-12.2.15 - Oracle has not published an independent fix version outside the CPU bundle, so install the CPU-aligned patch set for your 12.2.x level rather than waiting for an out-of-band release. Until the CPU is applied, restrict network reachability of the In-Memory Cost Management for Discrete Industries servlets by placing the EBS application tier behind a VPN or IP allow-list, terminating untrusted HTTPS at a reverse proxy that blocks the Internal Operations URL paths, and disabling external access to the affected module through Oracle URL Firewall / DMZ configuration (trade-off: legitimate remote users of that module will lose access until patched). Increase WAF/IDS logging on the EBS HTTPS endpoints to detect anomalous unauthenticated requests against Cost Management URLs, and review audit logs for unexpected creation, modification, or deletion of costing data given the integrity impact.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37246