CVE-2026-46932 - Vulnerability Details

Description

Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Asset Management. CVSS 3.1 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).

Published: 2026-06-16

Score: 7.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Oracle Enterprise Asset Management in Oracle E‑Business Suite has an internal operations flaw that a low‑privileged attacker can exploit over HTTP. The vulnerability allows bypassing normal authentication controls, enabling the attacker to read critical data or all data exposed by the service. Additionally, the flaw can be used to trigger a partial denial of service. The CVSS 3.1 vector reflects a network‑based attack that requires low privilege and no user interaction, resulting in high confidentiality impact and low availability impact.

Affected Systems

Affected systems include Oracle Corporation’s Oracle Enterprise Asset Management component of Oracle E‑Business Suite, with supported versions from 12.2.3 through 12.2.15. These versions are widely deployed in enterprise environments and remain publicly available, placing organizations that have not applied a fix at significant risk.

Risk and Exploitability

The CVSS base score of 7.1 signals a moderate‑to‑high severity, while the EPSS score of less than 1% indicates that the chance of exploitation is currently low. The flaw is not listed in the CISA KEV catalog. Nonetheless, the attack path is straightforward: a low‑privileged user with network access on the HTTP interface can trigger the flaw. Because the flaw can expose sensitive asset data and disrupt availability, organizations should treat it as a moderate–high risk that requires prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Oracle Corporation

Oracle Enterprise Asset Management

affected

Version	Status	Constraints
`12.2.3`	affected	≤ 12.2.15

No data.

Vendor Product Confidence Versions

Oracle

Enterprise Asset Management

95%

Version	Status	Scheme	Platform
`[12.2.3,12.2.15]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Review Oracle’s security alert for this CVE and apply the official fix as soon as it becomes available.
Restrict HTTP access to the Enterprise Asset Management service to trusted internal networks or users only.
If the fix is not yet available, disable the Internal Operations API from external networks or limit its exposure through firewall rules.
Enable comprehensive logging of authentication attempts and monitor for repeated failures or unusual access patterns to the Internal Operations component.

Generated by OpenCVE AI on June 17, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0038.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://www.oracle.com/security-alerts/cspujun2026.html

History

Tue, 16 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Description		Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Enterprise Asset Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Enterprise Asset Management. CVSS 3.1 Base Score 7.1 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L).
First Time appeared		Oracle Oracle enterprise Asset Management
CPEs		cpe:2.3:a:oracle:enterprise_asset_management::::::::
Vendors & Products		Oracle Oracle enterprise Asset Management
References		https://www.oracle.com/security-alerts/cspujun2026.html
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L'}`

Subscriptions

Oracle Enterprise Asset Management

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2026-06-16T19:27:56.088Z

Updated: 2026-06-17T14:09:26.575Z

Reserved: 2026-05-18T15:55:10.312Z

Link: CVE-2026-46932

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-17T00:15:16Z

Weaknesses

No weakness.

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object