Skip to main content

Oracle iSupport EUVDEUVD-2026-37257

| CVE-2026-46944 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

HTTP-reachable EBS module so AV:N/AC:L/UI:N; requires high-privileged EBS account so PR:H; full iSupport takeover with impact on other modules gives S:C and C:H/I:H/A:H.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:59 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Full takeover of Oracle iSupport (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, with a scope change that lets the attack significantly impact additional products beyond iSupport itself. The flaw carries a CVSS 3.1 base score of 9.1 with confidentiality, integrity, and availability all rated High, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain high-privileged EBS account
Delivery
Reach iSupport HTTP endpoint
Exploit
Send crafted Internal Operations request
Execution
Bypass authorization on privileged operation
Persist
Take over iSupport module
Impact
Pivot via scope change to other EBS components

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to already hold a high-privileged authenticated account in Oracle E-Business Suite / iSupport (CVSS PR:H), and network HTTP reachability to the iSupport web tier on a running EBS 12.2.3-12.2.15 instance with the Internal Operations component deployed. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been granted a high-privileged Oracle EBS account (for example a compromised administrator, an over-privileged integration user, or a malicious insider) issues crafted HTTP requests to the iSupport Internal Operations endpoints from anywhere they can reach the EBS web tier. The vulnerable code executes the operation without sufficient isolation, giving full takeover of iSupport and - due to scope change - the ability to affect other Oracle EBS modules sharing the same application context. …
Remediation Patch available per vendor advisory: apply the fixes bundled in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html) to all Oracle E-Business Suite 12.2.3-12.2.15 environments running iSupport; specific patch numbers are listed inside the CPU patch availability matrix and should be selected per EBS release level. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory Oracle E-Business Suite versions 12.2.3-12.2.15 across all environments and identify high-privileged iSupport users; escalate to Oracle Support for interim guidance. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37257 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy