Skip to main content

Oracle HR Intelligence EUVDEUVD-2026-37281

| CVE-2026-46971 HIGH
Improper Access Control (CWE-284)
2026-06-16 oracle
7.5
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

HTTP-reachable EBS module (AV:N), needs valid low-priv EBS account (PR:L), Oracle states exploitation is difficult (AC:H), no UI, full module takeover gives C/I/A:H within same scope.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:46 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle HR Intelligence product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle HR Intelligence. Successful attacks of this vulnerability can result in takeover of Oracle HR Intelligence. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Full compromise of Oracle HR Intelligence (a module of Oracle E-Business Suite) is possible for an authenticated low-privileged attacker who can reach the Internal Operations component over HTTP, per Oracle's June 2026 Critical Patch Update. The flaw affects EBS versions 12.2.3 through 12.2.15 and yields high impact across confidentiality, integrity, and availability, though Oracle rates exploitation as difficult (AC:H). No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

Oracle HR Intelligence is a Human Resources analytics module that ships as part of the Oracle E-Business Suite 12.2 application stack, running on the Oracle Application Server / WebLogic middleware tier and backed by the Oracle Database. The vulnerability lives in the 'Internal Operations' component, which handles administrative and back-office HR data flows reachable through the EBS HTTP front end. Oracle did not assign a CWE and does not disclose root-cause details in CPU advisories; CVSS impact metrics C:H/I:H/A:H combined with the 'takeover of Oracle HR Intelligence' language are consistent with an authenticated logic or injection flaw in an HTTP-exposed module rather than a memory-corruption bug.

RemediationAI

Apply the Oracle E-Business Suite patches bundled in the June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); Oracle ships HR Intelligence fixes as part of the standard EBS 12.2 patchset for versions 12.2.3 through 12.2.15, and Patch available per vendor advisory with no separate fix version number disclosed. Until the CPU is applied, restrict access to the EBS HTTP tier and HR Intelligence URLs to trusted corporate networks via the Oracle HTTP Server URL firewall (mod_rewrite/DAD restrictions) or a perimeter WAF, accepting that this breaks legitimate remote self-service access. Audit and minimise low-privilege EBS accounts (especially generic HR self-service users) and enforce MFA on the EBS login flow to raise the bar against the PR:L prerequisite; the trade-off is added friction for end users.

Share

EUVD-2026-37281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy