Skip to main content

Oracle Configure to Order EUVDEUVD-2026-37254

| CVE-2026-46939 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

HTTP-reachable EBS module exploitable by any authenticated low-privileged user (AV:N/AC:L/PR:L/UI:N); full read/write to CtO data gives C:H/I:H, no availability impact stated so A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 22:01 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Configure to Order product of Oracle E-Business Suite (component: Supply to Order Workbench). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Configure to Order. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Configure to Order accessible data as well as unauthorized access to critical data or complete access to all Oracle Configure to Order accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

AnalysisAI

Authenticated data tampering and disclosure in Oracle Configure to Order (Oracle E-Business Suite) versions 12.2.3 through 12.2.15 allows a low-privileged attacker with network access via HTTP to fully read, modify, create, or delete all data accessible to the Supply to Order Workbench component. Oracle rates the issue CVSS 8.1 and describes it as easily exploitable; no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EBS account
Delivery
Reach Configure to Order HTTP endpoint
Exploit
Send crafted Supply to Order Workbench request
Execution
Bypass authorization on Workbench action
Persist
Read or modify CtO data outside scope
Impact
Exfiltrate or tamper with supply/order records

Vulnerability AssessmentAI

Exploitation Attacker must have network HTTP/HTTPS reachability to an Oracle E-Business Suite 12.2.3-12.2.15 instance that has the Oracle Configure to Order module deployed with the Supply to Order Workbench component active, and must hold a low-privileged authenticated EBS session (PR:L per Oracle's CVSS vector), but no user interaction, no elevated role, and no scope change are required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) describes a network-reachable, low-complexity attack requiring only a low-privileged EBS account and no user interaction, with high confidentiality and integrity impact but no availability impact - a strong signal for prioritization wherever EBS self-service or vendor/customer portal accounts exist. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any low-privileged Oracle E-Business Suite account - for example through phishing of an internal user, reuse of a leaked supplier-portal credential, or a self-registered account on an exposed instance - authenticates to the EBS HTTP front end and issues crafted requests against the Supply to Order Workbench. Because the flaw is network-reachable with low attack complexity and no user interaction, a single HTTP transaction can read or alter supply-order data well outside the attacker's intended scope, enabling fraud such as redirecting supply against orders or exfiltrating sensitive customer and pricing data. …
Remediation Apply the Oracle Critical Patch Update fixes referenced in the June 2026 Critical Security Patch Update advisory at https://www.oracle.com/security-alerts/cspujun2026.html for each EBS 12.2.x release between 12.2.3 and 12.2.15; Oracle delivers these as patchset bundles tracked per EBS version, and exact patch numbers should be pulled from My Oracle Support based on the running 12.2.x level. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Oracle E-Business Suite versions 12.2.3 through 12.2.15 with Configure to Order/Supply to Order Workbench enabled; enumerate user accounts with access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37254 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy