Description
Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
Published: 2026-06-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Oracle iSupport’s Internal Operations component allows an attacker who has high privileges to exploit the service over HTTP. The vulnerability enables the attacker to hijack a session and take full control of iSupport, resulting in compromise of confidentiality, integrity, and availability. The weakness is a high‑severity remote code execution scenario, aligned with improper access control issues.

Affected Systems

Affected rely upon Oracle iSupport for Oracle E‑Business Suite, specifically versions 12.2.3 through 12.2.15. The CNAs list the product as Oracle iSupport, a component of Oracle E‑Business Suite.

Risk and Exploitability

The CVSS v3.1 score of 9.1 signifies critical impact, while the EPSS score of less than 1% indicates a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. The vulnerability’s scope change enables attackers to potentially affect other Oracle products beyond the initial target. Exploitation requires network access to the affected HTTP endpoint and a high‑privileged attacker, but the attack is described as easily exploitable even under these constraints.

Generated by OpenCVE AI on June 17, 2026 at 20:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the Oracle iSupport security patch that addresses CVE‑2026‑46946, covering versions 12.2.3 through 12.2.15.
  • If a patch is not yet available, restrict network access to the Oracle iSupport HTTP service, allowing only trusted internal hosts or explicit firewall rules.
  • Enforce least privilege by ensuring the account used for internal operations has the minimal permissions required and review any elevated privileges that could be exploited.

Generated by OpenCVE AI on June 17, 2026 at 20:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
First Time appeared Oracle
Oracle isupport
CPEs cpe:2.3:a:oracle:isupport:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle isupport
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Oracle Isupport
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-16T19:27:59.503Z

Reserved: 2026-05-18T15:55:10.313Z

Link: CVE-2026-46946

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T00:00:10Z

Weaknesses

No weakness.