CVE-2026-46826 - Vulnerability Details

- Oracle Payroll Vulnerability Allows Remote Takeover via Missing Authentication

Description

Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Published: 2026-05-28

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability in Oracle Payroll allows an attacker with low‑privileged network access over HTTPS to compromise the application. The flaw is based on missing authentication, enabling the attacker to gain full control of Payroll and cause confidentiality, integrity, and availability violations, as indicated by a CVSS 3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Affected Systems

Oracle Corporation’s Oracle Payroll product, part of the Oracle E‑Business Suite. Supported releases affected by this issue are versions 12.2.3 through 12.2.15. The vulnerability is exploitable via the Internal Operations component when accessed over HTTPS.

Risk and Exploitability

The CVSS base score of 8.8 classifies this as a high‑severity flaw. EPSS score indicates a very low exploitation probability (<1%). The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a network‑based HTTPS connection, and the attack requires only low‑privileged credentials or the absence of strict authentication controls. An attacker gaining success can take over the Payroll system, endangering all sensitive business data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Payroll

affected

Version	Status	Constraints
`12.2.3`	affected	≤ 12.2.15

No data.

Vendor Product Confidence Versions

Oracle

Payroll

95%

Version	Status	Scheme	Platform
`[12.2.3,12.2.15]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Deploy the latest Oracle E‑Business Suite patch set that contains the Oracle Payroll fix for versions 12.2.3 through 12.2.15.
Restrict network access to the Payroll application to trusted IP ranges and enforce multi‑factor authentication for all users accessing the system.
Monitor audit logs for suspicious activity and schedule regular penetration testing of the Payroll subsystem.

Generated by OpenCVE AI on May 29, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00042.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://www.oracle.com/security-alerts/cspumay2026.html

History

Fri, 29 May 2026 19:45:00 +0000

Type	Values Removed	Values Added
Title		Oracle Payroll Vulnerability Allows Remote Takeover via Missing Authentication

Fri, 29 May 2026 18:30:00 +0000

Type	Values Removed	Values Added
Title	Low‑Privilege Remote Exploit in Oracle Payroll Allows Full Compromise
Weaknesses	CWE-284

Fri, 29 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-306
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 28 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
Title		Low‑Privilege Remote Exploit in Oracle Payroll Allows Full Compromise
Weaknesses		CWE-284

Thu, 28 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Payroll. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared		Oracle Oracle payroll
CPEs		cpe:2.3:a:oracle:payroll::::::::
Vendors & Products		Oracle Oracle payroll
References		https://www.oracle.com/security-alerts/cspumay2026.html
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Oracle Payroll

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-05-28T20:17:13.526Z

Updated: 2026-05-29T15:28:40.673Z

Reserved: 2026-05-18T15:55:10.304Z

Link: CVE-2026-46826

Vulnrichment

Updated: 2026-05-29T15:28:36.452Z

NVD

Status : Undergoing Analysis

Published: 2026-05-28T21:16:32.560

Modified: 2026-05-29T16:16:29.800

Link: CVE-2026-46826

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-29T19:30:05Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object