Description
Vulnerability in the Oracle Receivables product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SOAP to compromise Oracle Receivables. Successful attacks of this vulnerability can result in takeover of Oracle Receivables. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in the Internal Operations component of Oracle Receivables allows an unauthenticated attacker with network access to the SOAP interface to compromise the application. Successful exploitation can lead to full control of Oracle Receivables, causing significant confidentiality, integrity, and availability damage as reflected in the CVSS 3.1 base score of 8.1. The detailed description does not state the exact weakness type but indicates that authentication and access controls are insufficient.

Affected Systems

Oracle Corporation’s Oracle Receivables component of Oracle E‑Business Suite is affected. The vulnerability applies to product releases from version 12.2.3 through 12.2.15.

Risk and Exploitability

The CVSS score of 8.1 marks this issue as high severity, while the EPSS score of less than 1 % indicates that exploitation is considered unlikely at present. The vulnerability is not listed in CISA’s KEV catalog. A remote attacker does not need authentication and can attack over the SOAP service accessible on the network, which provides a broad attack surface for adversaries seeking full system control.

Generated by OpenCVE AI on June 19, 2026 at 00:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Oracle’s security patch catalog for the applicable update to Oracle Receivables 12.2.3–12.2.15 and apply it immediately.
  • Restrict network access to the Oracle Receivables SOAP endpoint by using firewalls or segmentation so that only trusted hosts can reach the service.
  • Monitor and audit logs for any suspicious activity against the Internal Operations component, and verify that access controls are properly enforced.

Generated by OpenCVE AI on June 19, 2026 at 00:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated SOAP Access Enables Application Takeover in Oracle Receivables

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated SOAP Access Enables Takeover of Oracle Receivables
Weaknesses CWE-287

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Unauthenticated SOAP Access Enables Takeover of Oracle Receivables
Weaknesses CWE-284
CWE-287
CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Receivables product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via SOAP to compromise Oracle Receivables. Successful attacks of this vulnerability can result in takeover of Oracle Receivables. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle receivables
CPEs cpe:2.3:a:oracle:receivables:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle receivables
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Receivables
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:03:14.760Z

Reserved: 2026-05-18T15:55:10.312Z

Link: CVE-2026-46927

cve-icon Vulnrichment

Updated: 2026-06-17T14:03:09.613Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T00:15:03Z

Weaknesses
  • CWE-284

    Improper Access Control

  • CWE-306

    Missing Authentication for Critical Function