Description
Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Oracle Cost Management allows an attacker with low‑privileged network access via HTTP to execute privileged actions that compromise the entire application. The flaw results in confidentiality, integrity, and availability loss that effectively grants the attacker full control of the system. Based on the description, the issue appears to be an improper privilege management flaw, potentially aligning with CWE-269. This suggests that a low‑privileged user can gain elevated privileges within the application.

Affected Systems

Oracle Cost Management, part of Oracle E‑Business Suite, Cost Planning module. Versions 12.2.3 through 12.2.15 are affected. The product is provided by Oracle Corporation and no other versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 8.8 reflects high severity. EPSS <1% indicates a low probability of exploitation, but the network‑based attack vector means an attacker could deliver simple HTTP requests to gain control without advanced skills. The vulnerability is not listed in the CISA KEV catalog, but its severity and ease of exploitation make it a significant risk for organizations running the affected versions.

Generated by OpenCVE AI on June 18, 2026 at 20:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch or upgrade Cost Management to a version newer than 12.2.15 as released by Oracle.
  • Restrict HTTP access to the Cost Management interface, enforce strong authentication, and limit exposure to only trusted network segments.
  • Enable audit logging for Cost Management and monitor logs for anomalous activity; configure firewalls to block unauthorized IP ranges.

Generated by OpenCVE AI on June 18, 2026 at 20:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Oracle Cost Management Remote Code Execution via HTTP by Low‑Privileged Users

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
CWE-287
CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Oracle Cost Management Remote Code Execution via HTTP by Low‑Privileged Users
Weaknesses CWE-269

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle cost Management
CPEs cpe:2.3:a:oracle:cost_management:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle cost Management
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Cost Management
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T13:46:29.708Z

Reserved: 2026-05-18T15:55:10.312Z

Link: CVE-2026-46940

cve-icon Vulnrichment

Updated: 2026-06-18T13:45:10.558Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:30:05Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-284

    Improper Access Control

  • CWE-287

    Improper Authentication

  • CWE-306

    Missing Authentication for Critical Function