Description
Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-05-28
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is located in the File Transmission component of Oracle Payments, part of Oracle E‑Business Suite. An unauthenticated attacker with network access via HTTP can send a specially crafted request that bypasses authentication checks and leads to a takeover of Oracle Payments. This would compromise the confidentiality, integrity, and availability of all financial data stored or processed by the application.

Affected Systems

Oracle Payments product of Oracle E‑Business Suite versions 12.2.3 through 12.2.15 are affected.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical flaw. The EPSS score is 0.00043, indicating a very low exploitation probability; however, an attacker with network access can still reach the File Transmission endpoint over HTTP and exploit the lack of authentication. The vulnerability is not listed in CISA's KEV catalog, but the lack of authentication and HTTP exposure suggest that exploitation could be feasible if a target is identified.

Generated by OpenCVE AI on May 29, 2026 at 18:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle Payments patch that includes the fix for CVE‑2026‑46817.
  • Restrict or block external HTTP access to the File Transmission endpoint until the patch is applied.
  • Implement network segmentation so that only trusted internal services can reach Oracle Payments and monitor for suspicious file transfer activity.

Generated by OpenCVE AI on May 29, 2026 at 18:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 18:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Allows Oracle Payments Takeover

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
CWE-287
CWE-306

Thu, 28 May 2026 22:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated HTTP Access Allows Oracle Payments Takeover
Weaknesses CWE-284

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle payments
CPEs cpe:2.3:a:oracle:payments:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle payments
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Payments
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T15:42:19.794Z

Reserved: 2026-05-18T15:55:10.302Z

Link: CVE-2026-46817

cve-icon Vulnrichment

Updated: 2026-05-29T15:42:12.122Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T21:16:31.503

Modified: 2026-05-29T16:16:28.533

Link: CVE-2026-46817

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:15:04Z

Weaknesses