Skip to main content

Oracle Subledger Accounting EUVDEUVD-2026-37269

| CVE-2026-46958 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

HTTP-reachable EBS app tier gives AV:N/UI:N; Oracle's 'difficult to exploit' wording supports AC:H; a low-privileged EBS account is required (PR:L); takeover of SLA yields C:H/I:H/A:H within the same scope.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:52 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Takeover of Oracle Subledger Accounting (component: Internal Operations) in Oracle E-Business Suite versions 12.2.3 through 12.2.15 is possible by a low-privileged remote attacker leveraging HTTP. The flaw yields full confidentiality, integrity, and availability impact (CVSS 7.5) but is rated high attack complexity, so reliable exploitation is non-trivial. No public exploit identified at time of analysis, and the issue is not listed on CISA KEV.

Technical ContextAI

Oracle Subledger Accounting (SLA) is the rule-based accounting engine inside Oracle E-Business Suite (EBS) 12.2.x that translates subledger transactions (Payables, Receivables, Assets, Projects, etc.) into General Ledger journal entries. The 'Internal Operations' component handles internal application processing and administrative plumbing rather than externally-facing UI flows, which typically means an attacker must reach an EBS application tier endpoint over HTTP and abuse a function exposed to authenticated EBS users. No CWE is published by Oracle (per their disclosure practice), so the precise root cause class (e.g., authorization flaw, injection, deserialization) is not enumerated in the input; the CPE confirms the affected component is oracle_subledger_accounting with all version-bearing fields wildcarded, with the 12.2.3-12.2.15 range coming from the description.

RemediationAI

Apply the fixes shipped in the Oracle Critical Patch Update of June 2026 as documented at https://www.oracle.com/security-alerts/cspujun2026.html; patch availability is confirmed via the Oracle CPU reference but no exact CPU patch number or post-patch version string is provided in the input data, so the precise fix identifier should be taken from the CPU bulletin itself. Until the CPU is applied, restrict HTTP access to the EBS application tier to trusted networks via firewall or reverse-proxy ACLs (side effect: may break integrations or remote user workflows that traverse the same path), audit and prune EBS responsibilities so that low-privilege accounts cannot reach Subledger Accounting Internal Operations functions, and increase logging on EBS application servers to detect anomalous SLA activity. Avoid disabling Subledger Accounting itself, as it is required for journal generation across most EBS financial modules.

Share

EUVD-2026-37269 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy