Description
Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suite (component: Security). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via SQL to compromise Oracle Flow Manufacturing. Successful attacks of this vulnerability can result in takeover of Oracle Flow Manufacturing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-05-28
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability stems from a flaw in the Security component of Oracle Flow Manufacturing that permits a low‑privileged user with network access to manipulate SQL commands. The vulnerability can lead to complete compromise of the application, exposing confidential data and allowing modification or disruption of business processes. The primary weakness is an improper privilege management flaw (CWE‑269).

Affected Systems

Oracle Flow Manufacturing, part of Oracle E‑Business Suite, is affected in versions 12.2.9 through 12.2.15. Users of these releases should confirm that their instances fall within this version range.

Risk and Exploitability

The CVSS v3.1 base score of 8.8 indicates a high‑severity risk. The attack vector AV:N shows the flaw is reachable over the network, AC:L indicates minimal effort is required, and PR:L confirms low‑privilege credentials suffice. The EPSS score of less than 1% suggests a very low probability of exploitation at present, but the vulnerability remains exploitable under the described conditions. The flaw is not yet listed in the CISA KEV catalog, so a targeted attack is not publicly known at this time. The likely attack path involves a network‑bound attacker sending crafted SQL through the application, leading to privilege escalation and full takeover.

Generated by OpenCVE AI on May 29, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch specifically addressing this privilege escalation issue in Oracle Flow Manufacturing 12.2.9–12.2.15 as outlined in the Oracle Security Alert.
  • Restrict database roles to the minimum necessary permissions for the Flow Manufacturing application, ensuring users do not have broader database access than required (CWE‑269 mitigation).
  • Implement input validation and use parameterized queries or stored procedures for all database interactions to prevent SQL manipulation.
  • Apply network segmentation and firewall rules to restrict direct access to the Flow Manufacturing database to trusted administrators only.
  • Monitor database logs for anomalous SQL activity and review privilege changes for signs of exploitation.

Generated by OpenCVE AI on May 29, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Oracle e-business Suite
CPEs cpe:2.3:a:oracle:e-business_suite:*:*:*:*:*:*:*:*
Vendors & Products Oracle e-business Suite

Fri, 29 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation in Oracle Flow Manufacturing via SQL Manipulation

Fri, 29 May 2026 19:00:00 +0000

Type Values Removed Values Added
Title SQL Injection Allowing Full Takeover in Oracle Flow Manufacturing
Weaknesses CWE-89

Fri, 29 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 22:00:00 +0000

Type Values Removed Values Added
Title SQL Injection Allowing Full Takeover in Oracle Flow Manufacturing
Weaknesses CWE-89

Thu, 28 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Flow Manufacturing product of Oracle E-Business Suite (component: Security). Supported versions that are affected are 12.2.9-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via SQL to compromise Oracle Flow Manufacturing. Successful attacks of this vulnerability can result in takeover of Oracle Flow Manufacturing. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle flow Manufacturing
CPEs cpe:2.3:a:oracle:flow_manufacturing:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle flow Manufacturing
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle E-business Suite Flow Manufacturing
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-05-29T15:32:42.188Z

Reserved: 2026-05-18T15:55:10.305Z

Link: CVE-2026-46837

cve-icon Vulnrichment

Updated: 2026-05-29T15:32:36.989Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T21:16:33.573

Modified: 2026-06-04T13:46:40.547

Link: CVE-2026-46837

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T21:15:08Z

Weaknesses
  • CWE-269

    Improper Privilege Management