Skip to main content

Oracle Cost Management EUVDEUVD-2026-37253

| CVE-2026-46938 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
7.2
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable EBS HTTP endpoint with low complexity, but exploitation requires a high-privileged Cost Management responsibility (PR:H), no user interaction, unchanged scope, full CIA takeover of the module.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:01 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Full compromise of Oracle Cost Management (component: Cost Planning) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, resulting in takeover of the module with high confidentiality, integrity, and availability impact. Oracle's Critical Patch Update for June 2026 (cspujun2026) classifies this as easily exploitable once the privilege prerequisite is met. No public exploit identified at time of analysis and no CISA KEV listing observed.

Technical ContextAI

The flaw resides in the Cost Planning component of Oracle Cost Management, a financial module within Oracle E-Business Suite (CPE cpe:2.3:a:oracle_corporation:oracle_cost_management) that calculates standard and actual costs across manufacturing and inventory flows. EBS exposes these modules over the Oracle Application Framework via HTTP servlets fronted by Oracle HTTP Server, so a privileged session within the EBS console can reach the affected handler. No CWE was assigned in the input, but the 'takeover of Oracle Cost Management' wording combined with C:H/I:H/A:H and PR:H is consistent with a missing authorization or unsafe deserialization/injection sink reachable from a privileged business role rather than a memory-corruption bug.

RemediationAI

Apply the patch available per vendor advisory in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); exact post-patch version numbers are published in the CPU matrix and should be applied to all EBS 12.2.3-12.2.15 installations. As compensating controls until the CPU can be rolled out, restrict assignment of Cost Management and Cost Planning responsibilities to the minimum set of users, review and prune existing high-privileged role grants in EBS, place the EBS application tier behind a network filter that only permits trusted internal sources (trade-off: blocks remote business users), and increase audit logging on Cost Planning forms and concurrent programs to detect abuse - trade-off being added log volume and potential noise for SOC review.

Share

EUVD-2026-37253 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy