Skip to main content

Oracle E-Business Suite EUVDEUVD-2026-37251

| CVE-2026-46935 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

HTTP-reachable EBS module needing a valid low-privilege account (PR:L) and non-trivial conditions (AC:H); successful exploitation takes over CMRO so C:H/I:H/A:H within unchanged scope.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:03 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair and Overhaul. Successful attacks of this vulnerability can result in takeover of Oracle Complex Maintenance, Repair and Overhaul. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Full takeover of Oracle Complex Maintenance, Repair and Overhaul (CMRO) versions 12.2.3 through 12.2.15 is possible by an authenticated low-privileged attacker over HTTP against the Internal Operations component. Successful exploitation yields high impact to confidentiality, integrity, and availability of the CMRO module, though Oracle rates the attack complexity as high. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege EBS credentials
Delivery
Reach CMRO HTTP endpoints on app tier
Exploit
Identify Internal Operations request flow
Execution
Send crafted request meeting AC:H conditions
Persist
Bypass authorization within CMRO module
Impact
Take over CMRO data and functions

Vulnerability AssessmentAI

Exploitation The attacker must (1) have network reachability to the Oracle E-Business Suite application tier over HTTP/HTTPS - typically internal LAN, VPN, or an exposed EBS portal - and (2) possess valid credentials for an EBS account with at least low privileges, per PR:L in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impact tempered by AC:H (non-trivial exploitation conditions, e.g. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been issued a low-privilege Oracle EBS account (for example a contractor, a phished maintenance technician, or a compromised vendor login) reaches the CMRO Internal Operations endpoints over HTTP and submits a crafted request sequence that abuses the vulnerable logic to escalate within the module. Because Oracle classifies the result as 'takeover' of CMRO, the attacker can then read, modify, or destroy maintenance work orders, parts records, and operational data tied to high-value assets. …
Remediation Apply the fixes bundled in Oracle's June 2026 Critical Patch Update as documented at https://www.oracle.com/security-alerts/cspujun2026.html; an exact patched build number is not stated in the provided data, so administrators should consult the CPU matrix for their EBS 12.2.x level and apply the corresponding CMRO patch through AutoPatch/adop. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Oracle CMRO 12.2.3-12.2.15 deployments; restrict HTTP access to Internal Operations component to explicit trusted internal networks; review current low-privileged user base. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37251 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy