Description
Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Internet Procurement Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Internet Procurement Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Internet Procurement Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Published: 2026-05-28
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated attacker with network access over HTTP can exploit a vulnerability in the Oracle Internet Procurement Connector to create, delete or modify critical data. The flaw leads to high confidentiality and integrity impacts, as the attacker can access all data exposed by the Connector. No availability impact is reported. This weakness is a form of improper access control, allowing privileged operations without authentication.

Affected Systems

Oracle Internet Procurement Connector distributed with Oracle E‑Business Suite, versions 12.2.3 through 12.2.15. All installations of these versions are susceptible; newer releases beyond 12.2.15 are not affected according to the vendor information.

Risk and Exploitability

The CVSS 3.1 Base Score of 9.1 indicates critical severity. Based on the description, it is inferred that the attack vector is an unauthenticated HTTP request. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The flaw is easily exploitable and requires no authentication, allowing attackers to immediately gain full control over Connector data, which poses a significant threat to organizations relying on this product.

Generated by OpenCVE AI on May 28, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Oracle Internet Procurement Connector to a version newer than 12.2.15, ensuring that known fixes for the unauthorized access flaw are included.
  • Restrict HTTP access to the Connector by placing it behind a firewall or VPN, limiting connectivity to trusted internal networks.
  • Configure authentication and authorization controls for Connector endpoints to enforce least‑privilege access; implement role‑based permissions if supported, and regularly audit access logs for anomalous activity.

Generated by OpenCVE AI on May 28, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Remote Access Exploitation in Oracle Internet Procurement Connector
Weaknesses CWE-200
CWE-284

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Internet Procurement Connector product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Internet Procurement Connector. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Internet Procurement Connector accessible data as well as unauthorized access to critical data or complete access to all Oracle Internet Procurement Connector accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
First Time appeared Oracle
Oracle internet Procurement Connector
CPEs cpe:2.3:a:oracle:internet_procurement_connector:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle internet Procurement Connector
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Oracle Internet Procurement Connector
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T15:40:18.211Z

Reserved: 2026-05-18T15:55:10.303Z

Link: CVE-2026-46819

cve-icon Vulnrichment

Updated: 2026-05-29T15:40:05.493Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-28T21:16:31.760

Modified: 2026-05-29T16:16:28.900

Link: CVE-2026-46819

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:48Z

Weaknesses