Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
HTTP-reachable EBS module exploitable by any authenticated low-privileged user (PR:L) with no interaction or complexity, yielding full module takeover (C/I/A:H), scope unchanged within EBS.
Primary rating from Vendor (oracle).
CVSS VectorVendor: oracle
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Public Sector Financials (International). Successful attacks of this vulnerability can result in takeover of Oracle Public Sector Financials (International). CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
AnalysisAI
Authorization flaw in Oracle Public Sector Financials (International) versions 12.2.3 through 12.2.15 enables low-privileged authenticated attackers with HTTP network access to fully take over the affected component. Oracle's Critical Patch Update describes the issue as easily exploitable with high impact to confidentiality, integrity, and availability (CVSS 8.8). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires (1) a reachable HTTP/HTTPS endpoint of an Oracle E-Business Suite 12.2.3-12.2.15 instance with the Public Sector Financials (International) localization module deployed and enabled, and (2) valid credentials for any low-privileged EBS account (PR:L) - anonymous exploitation is not in scope per the CVSS vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The combined signals point to a high real-world priority for any organization running Oracle EBS 12.2 with this module enabled. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained or registered any low-privileged EBS account - for example, a self-service user, a former contractor, or a phished employee - sends crafted HTTP requests to the Public Sector Financials (International) module endpoints and bypasses authorization checks to perform privileged operations, ultimately gaining full takeover of the module's data and workflows. Because Oracle rates the issue as easily exploitable with AC:L and no user interaction, repeatable exploitation against an exposed instance is realistic once the patch is reverse-engineered, even though no public exploit identified at time of analysis. |
| Remediation | Apply the Oracle Critical Patch Update referenced in the June 2026 advisory at https://www.oracle.com/security-alerts/cspujun2026.html; Oracle's CPU bundles the fix for CVE-2026-46967 across the 12.2.3-12.2.15 supported branches and specific patch numbers must be retrieved from My Oracle Support for the deployed version (exact patched build identifier not independently confirmed beyond the CPU advisory). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify and inventory all systems running Oracle Public Sector Financials versions 12.2.3-12.2.15; document current network exposure and user access patterns. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37278