CVE-2026-46822 - Vulnerability Details

- Remote Attack via HTTP Enables Full Compromise of Oracle iAssets

Description

Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iAssets. While the vulnerability is in Oracle iAssets, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iAssets. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Published: 2026-05-28

Score: 9.9 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Oracle iAssets, a component of Oracle E‑Business Suite, has a vulnerability that allows a low‑privileged attacker, who can reach the system over HTTP, to take full control of the application. The flaw can be exploited with minimal effort and without user interaction, leading to the disclosure of confidential data, modification of system state, and loss of availability. The high impact on confidentiality, integrity, and availability is reflected in the CVSS 3.1 base score of 9.9.

Affected Systems

Versions of Oracle iAssets from 12.2.3 through 12.2.15 are affected. The vulnerability is present in the Internal Operations component of the platform and may affect other Oracle E‑Business Suite products due to scope change. Users running these releases should verify their installation against the advisory.

Risk and Exploitability

The issue can be exploited remotely via the public network, requiring only a network connection to an HTTP endpoint. Because the required privilege level is low and no special inputs are needed, the attack vector is simple and the likelihood of exploitation is high, as the CVSS score indicates. Although the EPSS score is not available, the severity and lack of defensive controls make this vulnerability a high‑risk target. It is not yet listed in the CISA KEV catalog, but the impact warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle iAssets

affected

Version	Status	Constraints
`12.2.3`	affected	≤ 12.2.15

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the Oracle patch that removes the vulnerability in versions 12.2.3 to 12.2.15
Restrict HTTP access to the iAssets service to trusted internal IP addresses or networks
Segment the network to isolate iAssets from external facing components and enforce strict firewall rules
Monitor authentication logs and application activity for signs of exploitation attempts

Generated by OpenCVE AI on May 28, 2026 at 21:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cspumay2026.html

History

Fri, 29 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
Title		Remote Attack via HTTP Enables Full Compromise of Oracle iAssets
Weaknesses		CWE-284

Thu, 28 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iAssets. While the vulnerability is in Oracle iAssets, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iAssets. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
First Time appeared		Oracle Oracle iassets
CPEs		cpe:2.3:a:oracle:iassets::::::::
Vendors & Products		Oracle Oracle iassets
References		https://www.oracle.com/security-alerts/cspumay2026.html
Metrics		cvssV3_1 `{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Oracle Iassets

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-05-28T20:17:12.505Z

Updated: 2026-05-29T15:38:35.360Z

Reserved: 2026-05-18T15:55:10.303Z

Link: CVE-2026-46822

Vulnrichment

Updated: 2026-05-29T15:38:29.401Z

NVD

Status : Awaiting Analysis

Published: 2026-05-28T21:16:32.157

Modified: 2026-05-29T16:16:29.440

Link: CVE-2026-46822

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T21:30:26Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object