Description
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Oracle iSupport, part of Oracle E-Business Suite, contains a vulnerability that permits a high privileged attacker with network access over HTTP to compromise the service. The flaw allows takeover of the entire iSupport instance and may extend impact beyond iSupport to other products in the same stack. Based on the description, it is inferred that the weakness involves an authentication bypass or improper authorization control, although the CVE entry does not explicitly identify a specific CWE.

Affected Systems

Oracle iSupport versions 12.2.3 through 12.2.15 are affected. These versions are publicly supported and remain vulnerable until patched or upgraded.

Risk and Exploitability

The CVSS 3.1 base score of 9.1 indicates a critical vulnerability, with significant confidentiality, integrity, and availability impacts. The EPSS score of <1% suggests that exploitation is currently unlikely, but the risk remains high if an attacker gains the required credentials and network access via HTTP. The flaw can affect additional Oracle applications through a scope change, as indicated in the description. The vulnerability is not yet listed in the CISA KEV catalog. Attackers would need high privileges and access to the iSupport HTTP interface to exploit the flaw, after which they could potentially take over the entire service.

Generated by OpenCVE AI on June 17, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest Oracle iSupport patch or upgrade to a version that includes the fix for this vulnerability.
  • Configure network firewalls or VPNs to restrict HTTP access to the iSupport server to trusted administrators only.
  • Enable detailed logging on the iSupport service and routinely review logs for unauthorized access attempts or anomalous activity.

Generated by OpenCVE AI on June 17, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle isupport
CPEs cpe:2.3:a:oracle:isupport:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle isupport
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Isupport
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-16T19:27:58.881Z

Reserved: 2026-05-18T15:55:10.313Z

Link: CVE-2026-46944

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T00:00:10Z

Weaknesses

No weakness.