Skip to main content

Oracle Advanced Outbound Telephony EUVDEUVD-2026-37262

| CVE-2026-46950 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable EBS HTTP endpoint (AV:N), low complexity (AC:L), requires any authenticated EBS user (PR:L), no user interaction, and Oracle states full product takeover yielding C:H/I:H/A:H within the same security authority (S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:56 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Outbound Telephony. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover in Oracle Advanced Outbound Telephony (E-Business Suite component, versions 12.2.3 through 12.2.15) allows a low-privileged remote attacker with HTTP access to fully compromise the product's confidentiality, integrity, and availability. Oracle has published a fix in the June 2026 Critical Patch Update, and the CVSS 3.1 base score of 8.8 reflects an easily exploitable network-borne flaw, though no public exploit identified at time of analysis and EPSS data was not provided.

Technical ContextAI

Oracle Advanced Outbound Telephony is the predictive/preview dialer module of the Oracle E-Business Suite (EBS) Interaction Center family, built on top of the Oracle Application Server (Oracle HTTP Server + Forms/JSP/PL-SQL) stack and exposed through the EBS web tier. The 'Internal Operations' component handles back-end dialer administration and runtime control interactions, which are reachable over HTTP for authenticated EBS users. No CWE was assigned by the reporter, but the combination of low-privilege HTTP access leading to full product takeover is consistent with the broken-access-control / missing-authorization class of issues that have historically affected EBS Interaction Center modules.

RemediationAI

Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 (https://www.oracle.com/security-alerts/cspujun2026.html), which is the patch available per vendor advisory for EBS 12.2.3 through 12.2.15; exact post-patch version strings are tracked in the CPU readme and should be matched against your current EBS 12.2 RUP level. If the CPU cannot be applied immediately, reduce exposure by restricting HTTP access to the Advanced Outbound Telephony URLs at the EBS web tier (Oracle HTTP Server mod_rewrite / URL firewall rules) to only the trusted internal dialer operators, and consider temporarily disabling the Advanced Outbound Telephony responsibility for non-essential users - be aware that URL filtering can break legitimate dialer agent workflows and disabling responsibilities will stop outbound campaign operations until restored. Also rotate credentials and review audit logs for any low-privileged EBS accounts after patching, since PR:L exploitation is plausible from any compromised self-service account.

Share

EUVD-2026-37262 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy