Skip to main content

Oracle iSupport EUVDEUVD-2026-37259

| CVE-2026-46946 CRITICAL
Improper Access Control (CWE-284)
2026-06-16 oracle
9.1
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.1 CRITICAL

Network-reachable HTTP endpoint (AV:N) with no special conditions (AC:L), requires a high-privileged EBS/iSupport account (PR:H), no user interaction, and impact crosses into other EBS modules (S:C) with full CIA loss.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:58 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle iSupport in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is achievable by an authenticated high-privileged attacker over HTTP, with scope-changed impact extending to additional EBS components. The CVSS 3.1 base score of 9.1 reflects full confidentiality, integrity, and availability loss beyond the vulnerable component itself. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

Oracle iSupport is a self-service customer support module within the Oracle E-Business Suite (EBS) 12.2 application stack, deployed via the Oracle Application Server / WebLogic tier and backed by the EBS database schema. The affected component is 'Internal Operations,' which handles administrative/back-office workflows exposed over HTTP through the EBS framework. No CWE has been assigned by Oracle; the advisory only indicates a scope-changing flaw reachable over the network that yields component takeover, consistent with weaknesses in EBS administrative endpoints (authorization or injection-class issues) that have historically plagued the 12.2.x line.

RemediationAI

Apply the Oracle Critical Patch Update for June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html - Patch available per vendor advisory; Oracle has not published a discrete fixed micro-version in the supplied intelligence, so use the CPU patch matrix for your exact 12.2.x release. Until the CPU is applied, restrict network reachability of the iSupport Internal Operations URLs to trusted administrative networks only (firewall/reverse-proxy URL filtering on the EBS web tier), aggressively reduce the number of accounts holding iSupport administrative responsibilities, rotate credentials of any privileged iSupport users, and increase auditing on iSupport admin activity in the EBS FND audit tables; note that URL-level filtering can break legitimate internal admin workflows and that role reduction may temporarily impact support operations.

Share

EUVD-2026-37259 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy