Skip to main content

Oracle E-Business Suite EUVDEUVD-2026-37282

| CVE-2026-46972 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-06-16 oracle
8.8
CVSS 3.1 · Vendor: oracle
Share

Severity by source

Vendor (oracle) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

HTTP-reachable EBS web tier (AV:N), Oracle labels easily exploitable (AC:L), requires a low-privileged EBS account (PR:L), no user interaction, and description states full module takeover (C:H/I:H/A:H).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (oracle).

CVSS VectorVendor: oracle

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 16, 2026 - 21:46 vuln.today

DescriptionCVE.org

Vulnerability in the Oracle Outsourced Mfg for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Outsourced Mfg for Discrete Industries. Successful attacks of this vulnerability can result in takeover of Oracle Outsourced Mfg for Discrete Industries. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

AnalysisAI

Full takeover of Oracle Outsourced Mfg for Discrete Industries (component: Internal Operations) is achievable by a low-privileged authenticated attacker over HTTP, per Oracle's June 2026 Critical Patch Update advisory. The CVSS 3.1 base score of 8.8 reflects high impact across confidentiality, integrity, and availability with low attack complexity, though no public exploit identified at time of analysis. Affected versions span 12.2.3 through 12.2.15 of Oracle E-Business Suite.

Technical ContextAI

Oracle E-Business Suite (EBS) is Oracle's flagship enterprise resource planning (ERP) platform, with the Outsourced Mfg for Discrete Industries module supporting manufacturers who delegate production to third parties. The vulnerable Internal Operations component is reached over HTTP, indicating exposure through the EBS web-tier (typically the Oracle HTTP Server fronting OAF/Forms servlets). No CWE was assigned by Oracle (their CPU advisories routinely omit CWE classification), but the combination of low privileges, network HTTP vector, and full C/I/A compromise is consistent with an authenticated injection, deserialization, or access-control bypass in an EBS servlet or PL/SQL gateway endpoint.

RemediationAI

Apply patch available per vendor advisory by installing the fixes bundled in Oracle's June 2026 Critical Patch Update (https://www.oracle.com/security-alerts/cspujun2026.html); exact patch numbers are listed in the CPU's E-Business Suite patch availability matrix and should be applied to all instances on 12.2.3-12.2.15 in line with Oracle's standard adop/ad utility procedures, followed by post-patch validation of the Outsourced Mfg module. Until patched, restrict network reachability to the EBS web tier by placing it behind a VPN or reverse proxy with IP allow-listing, audit and reduce accounts with access to the Outsourced Mfg / Internal Operations responsibilities (since any low-privileged EBS user can exploit), and consider WAF rules in front of the affected servlet paths once Oracle identifies them in the CPU notes; these controls reduce attack surface but do not address the underlying flaw and may break legitimate workflows for outsourced manufacturing partners.

Share

EUVD-2026-37282 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy