Skip to main content

Oracle E-Business Suite EUVDEUVD-2026-37263

| CVE-2026-46951 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

HTTP-reachable EBS component, vendor labels exploitation easy with no user interaction, requires a low-privileged EBS account, and results in full Quality module takeover (C/I/A High).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:56 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Quality product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Quality. Successful attacks of this vulnerability can result in takeover of Oracle Quality. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Account takeover of the Oracle Quality module in Oracle E-Business Suite versions 12.2.3 through 12.2.15 allows a low-privileged authenticated attacker to fully compromise the component over HTTP. Per the vendor's June 2026 Critical Patch Update advisory the issue is rated CVSS 8.8 with high impact on confidentiality, integrity, and availability, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privileged EBS credentials
Delivery
Reach Oracle Quality HTTP endpoint
Exploit
Send crafted Internal Operations request
Execution
Bypass authorization in Quality module
Impact
Take over Oracle Quality data and functions

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) network reachability to the Oracle E-Business Suite web tier over HTTP/HTTPS, and (2) a valid low-privileged authenticated session on EBS (PR:L) capable of reaching the Oracle Quality module's Internal Operations component on a supported 12.2.3-12.2.15 deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H combined with Oracle's own 'easily exploitable' language indicates a genuinely high real-world risk for any EBS environment where low-privileged accounts can reach the Quality module over HTTP - this is the typical condition in EBS deployments, where many internal users hold low-privilege roles. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained any low-privileged Oracle E-Business Suite account - for example a generic internal employee responsibility or a compromised contractor login - sends crafted HTTP requests to the Oracle Quality Internal Operations component over the EBS web tier and achieves full takeover of the Quality module, allowing them to read, modify, or destroy quality-management data. Because Oracle rates the issue 'easily exploitable' and the CVSS vector is AC:L/UI:N, no user interaction or unusual conditions are required once a low-privilege session exists, although no public exploit is identified at time of analysis.
Remediation Apply the patch available per vendor advisory by installing the Oracle E-Business Suite fixes shipped in the June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); Oracle does not publish a discrete fixed micro-version for EBS modules, so the CPU patch set itself is the authoritative remediation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Oracle E-Business Suite deployments running versions 12.2.3-12.2.15 with the Quality module enabled; assess which systems are accessible from untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37263 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy