CVE-2026-46821 - Vulnerability Details

- Low‑Privilege Access to Oracle Financials Common Modules via HTTP

Description

Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

Published: 2026-05-28

Score: 7.7 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Oracle Financials Common Modules has a vulnerability that allows a low‑privileged attacker with network access over HTTP to gain unauthorized access to critical data or full access to all data exposed by the modules. The CVSS vector indicates a high impact on confidentiality and no impact on integrity or availability. The identified weaknesses are listed as CWE-284 (Improper Access Control) and CWE-200 (Information Exposure).

Affected Systems

Affected are Oracle E‑Business Suite Financials Common Modules versions 12.2.3 through 12.2.15. Users running any of these releases expose the modules to the described exploitation path via HTTP endpoints.

Risk and Exploitability

The CVSS score of 7.7 indicates a high severity. The EPSS score is not available, so precise exploitation probability remains unknown, but the description indicates the vulnerability is easily exploitable. The vulnerability is not listed in the CISA KEV catalog. Based on the vector, the likely attack path involves a remote attacker sending HTTP requests that exploit the flaw, allowing a low‑privileged attacker to access critical data exposed by the modules.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Financials Common Modules

affected

Version	Status	Constraints
`12.2.3`	affected	≤ 12.2.15

No data.

Vendor Product Confidence Versions

Oracle

Financials Common Modules

95%

Version	Status	Scheme	Platform
`[12.2.3,12.2.15]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor‑issued security patch for Oracle Financials Common Modules that addresses the vulnerability
Restrict HTTP access to the modules to trusted IP ranges or VPN only, limiting exposure to external network traffic
Enforce stricter role‑based access controls so that low‑privileged accounts cannot access sensitive data exposed by the modules

Generated by OpenCVE AI on May 28, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://www.oracle.com/security-alerts/cspumay2026.html

History

Fri, 29 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 28 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Title		Low‑Privilege Access to Oracle Financials Common Modules via HTTP
Weaknesses		CWE-200 CWE-284

Thu, 28 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
First Time appeared		Oracle Oracle financials Common Modules
CPEs		cpe:2.3:a:oracle:financials_common_modules::::::::
Vendors & Products		Oracle Oracle financials Common Modules
References		https://www.oracle.com/security-alerts/cspumay2026.html
Metrics		cvssV3_1 `{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}`

Subscriptions

Oracle Financials Common Modules

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-05-28T20:17:12.177Z

Updated: 2026-05-29T15:33:55.490Z

Reserved: 2026-05-18T15:55:10.303Z

Link: CVE-2026-46821

Vulnrichment

Updated: 2026-05-29T15:33:49.901Z

NVD

Status : Awaiting Analysis

Published: 2026-05-28T21:16:32.020

Modified: 2026-05-29T16:16:29.107

Link: CVE-2026-46821

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T22:00:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object