Description
Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Oracle Cost Management’s Cost Planning component lets a low‑privileged user with network access via HTTP gain full control of the application. The vulnerability is exploitable without user interaction and can lead to the attacker taking over the Cost Management service, compromising the confidentiality, integrity, and availability of the affected data and processes.

Affected Systems

Oracle E‑Business Suite Oracle Cost Management versions 12.2.3 through 12.2.15 are affected.

Risk and Exploitability

The CVSS 3.1 base score of 8.8 indicates a high‑severity flaw. The EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild, and the issue is not listed in the CISA KEV catalog. The likely attack vector is a network‑based HTTP request. An attacker only needs network connectivity to the Cost Planning service and a low‑privileged account; no additional privileges or user interaction are required to exploit the privilege escalation that drives the takeover.

Generated by OpenCVE AI on June 18, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle patch for CVE‑2026‑46929 to affected versions.
  • Upgrade to a later release of Oracle Cost Management that supersedes version 12.2.15.
  • Restrict HTTP access to the Cost Management servers to trusted networks and enforce strict role‑based access controls so that low‑privileged accounts cannot invoke privileged functions.
  • Monitor application logs for anomalous activity and perform regular vulnerability scans on the affected component.

Generated by OpenCVE AI on June 18, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Title Low-Privileged Network Attack Enables Full Takeover of Oracle Cost Management

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Low-Privileged Network Attack Enables Full Takeover of Oracle Cost Management
Weaknesses CWE-269
CWE-284
CWE-287
CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle cost Management
CPEs cpe:2.3:a:oracle:cost_management:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle cost Management
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Cost Management
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-17T14:17:01.528Z

Reserved: 2026-05-18T15:55:10.312Z

Link: CVE-2026-46929

cve-icon Vulnrichment

Updated: 2026-06-17T14:16:20.584Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:45:04Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-284

    Improper Access Control

  • CWE-287

    Improper Authentication

  • CWE-306

    Missing Authentication for Critical Function