Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable HTTP endpoint (AV:N), low complexity per Oracle (AC:L), requires a low-privileged EBS account (PR:L), no user interaction (UI:N), and full module takeover yields C:H/I:H/A:H within the same security authority (S:U).
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Project Portfolio Analysis product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Project Portfolio Analysis. Successful attacks of this vulnerability can result in takeover of Oracle Project Portfolio Analysis. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Authenticated takeover of Oracle Project Portfolio Analysis (E-Business Suite versions 12.2.3 through 12.2.15) is possible over HTTP, allowing a low-privileged attacker to fully compromise the application's confidentiality, integrity, and availability. Oracle rates this as easily exploitable with a CVSS 3.1 base score of 8.8, though no public exploit identified at time of analysis. The flaw resides in the Internal Operations component and was disclosed in Oracle's June 2026 Critical Patch Update.
Technical ContextAI
Oracle Project Portfolio Analysis is a module within Oracle E-Business Suite (EBS) used by enterprises for evaluating, prioritizing, and managing investment portfolios across projects. The affected component, Internal Operations, handles administrative and operational interactions within the EBS application tier, which is typically deployed on Oracle Application Server / WebLogic with HTTP-facing servlets. The CPE entry cpe:2.3:a:oracle_corporation:oracle_project_portfolio_analysis:*:*:*:*:*:*:*:* covers all listed versions. No CWE has been assigned by Oracle, which is consistent with Oracle's CPU disclosure practice of withholding root-cause classification; based on the 'takeover' impact via HTTP with low privileges, the underlying defect is most likely an authorization, deserialization, or input-validation weakness in an authenticated HTTP endpoint.
RemediationAI
Patch available per vendor advisory - apply the fixes shipped in the Oracle June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html) to all Oracle E-Business Suite 12.2.x environments running Project Portfolio Analysis, following Oracle's prerequisite patch baseline and standard EBS application-tier patching procedure (adop online or offline cycle). Until patching is complete, compensating controls include restricting HTTP access to the EBS application tier so that only trusted corporate network ranges or VPN-authenticated users can reach the Project Portfolio Analysis URLs (typically /OA_HTML/ and Oracle Forms servlets) - note this breaks remote contractor and partner access; auditing and tightly limiting which application user responsibilities grant access to the Project Portfolio Analysis module reduces the population that can supply the required low-privilege session; and enabling EBS URL Firewall (FND: URL Firewall Validation Method) to whitelist permitted servlets cuts exposed surface but can break custom integrations and should be tested in non-production first.
Account takeover in Oracle Project Portfolio Analysis (E-Business Suite component Internal Operations) versions 12.2.3 t
Full product takeover of Oracle Project Portfolio Analysis (E-Business Suite component Internal Operations) is possible
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37273