Skip to main content

Oracle Project Portfolio Analysis EUVDEUVD-2026-37273

| CVE-2026-46962 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable HTTP endpoint (AV:N), low complexity per Oracle (AC:L), requires a low-privileged EBS account (PR:L), no user interaction (UI:N), and full module takeover yields C:H/I:H/A:H within the same security authority (S:U).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:50 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Project Portfolio Analysis product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Project Portfolio Analysis. Successful attacks of this vulnerability can result in takeover of Oracle Project Portfolio Analysis. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Authenticated takeover of Oracle Project Portfolio Analysis (E-Business Suite versions 12.2.3 through 12.2.15) is possible over HTTP, allowing a low-privileged attacker to fully compromise the application's confidentiality, integrity, and availability. Oracle rates this as easily exploitable with a CVSS 3.1 base score of 8.8, though no public exploit identified at time of analysis. The flaw resides in the Internal Operations component and was disclosed in Oracle's June 2026 Critical Patch Update.

Technical ContextAI

Oracle Project Portfolio Analysis is a module within Oracle E-Business Suite (EBS) used by enterprises for evaluating, prioritizing, and managing investment portfolios across projects. The affected component, Internal Operations, handles administrative and operational interactions within the EBS application tier, which is typically deployed on Oracle Application Server / WebLogic with HTTP-facing servlets. The CPE entry cpe:2.3:a:oracle_corporation:oracle_project_portfolio_analysis:*:*:*:*:*:*:*:* covers all listed versions. No CWE has been assigned by Oracle, which is consistent with Oracle's CPU disclosure practice of withholding root-cause classification; based on the 'takeover' impact via HTTP with low privileges, the underlying defect is most likely an authorization, deserialization, or input-validation weakness in an authenticated HTTP endpoint.

RemediationAI

Patch available per vendor advisory - apply the fixes shipped in the Oracle June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) to all Oracle E-Business Suite 12.2.x environments running Project Portfolio Analysis, following Oracle's prerequisite patch baseline and standard EBS application-tier patching procedure (adop online or offline cycle). Until patching is complete, compensating controls include restricting HTTP access to the EBS application tier so that only trusted corporate network ranges or VPN-authenticated users can reach the Project Portfolio Analysis URLs (typically /OA_HTML/ and Oracle Forms servlets) - note this breaks remote contractor and partner access; auditing and tightly limiting which application user responsibilities grant access to the Project Portfolio Analysis module reduces the population that can supply the required low-privilege session; and enabling EBS URL Firewall (FND: URL Firewall Validation Method) to whitelist permitted servlets cuts exposed surface but can break custom integrations and should be tested in non-production first.

Share

EUVD-2026-37273 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy