Description
Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in Oracle Cost Management allows an attacker with low‑privileged network access via HTTP to execute privileged actions that compromise the entire application. The flaw results in confidentiality, integrity, and availability loss that effectively grants the attacker full control of the system. Based on the description, the issue appears to be an improper privilege management flaw, potentially aligning with CWE-269. This suggests that a low‑privileged user can gain elevated privileges within the application.

Affected Systems

Oracle Cost Management, part of Oracle E‑Business Suite, Cost Planning module. Versions 12.2.3 through 12.2.15 are affected. The product is provided by Oracle Corporation and no other versions are listed as vulnerable.

Risk and Exploitability

The CVSS score of 8.8 reflects high severity. EPSS <1% indicates a low probability of exploitation, but the network‑based attack vector means an attacker could deliver simple HTTP requests to gain control without advanced skills. The vulnerability is not listed in the CISA KEV catalog, but its severity and ease of exploitation make it a significant risk for organizations running the affected versions.

Generated by OpenCVE AI on June 17, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Oracle patch or upgrade Cost Management to a version newer than 12.2.15 as released by Oracle.
  • Restrict HTTP access to the Cost Management interface, enforce strong authentication, and limit exposure to only trusted network segments.
  • Enable audit logging for Cost Management and monitor logs for anomalous activity; configure firewalls to block unauthorized IP ranges.

Generated by OpenCVE AI on June 17, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle cost Management
CPEs cpe:2.3:a:oracle:cost_management:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle cost Management
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oracle Cost Management
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-16T19:27:58.253Z

Reserved: 2026-05-18T15:55:10.312Z

Link: CVE-2026-46940

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T04:15:02Z

Weaknesses

No weakness.