Description
Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Published: 2026-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Oracle Subledger Accounting allows a low‑privileged attacker with HTTP network access to fully compromise the application. The flaw is an improper access control weakness that enables unauthorized users to perform privileged operations, resulting in loss of confidentiality, integrity, and availability of the accounting data.

Affected Systems

Oracle Subledger Accounting component of Oracle E‑Business Suite, versions 12.2.3 through 12.2.15, is affected. The issue resides in the Internal Operations component that is exposed over HTTP.

Risk and Exploitability

The CVSS base score of 7.5 indicates moderate‑to‑high severity, while the EPSS score of less than 1% suggests a low probability of exploitation presently. The vulnerability is not included in the CISA KEV catalog. The likely attack path involves a network‑level attacker sending carefully crafted HTTP requests to the exposed Internal Operations interface, exploiting the access‑control weakness to achieve a full takeover of the Subledger Accounting service.

Generated by OpenCVE AI on June 18, 2026 at 20:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official Oracle patch or upgrade to a version that is not affected by CVE-2026-46958.
  • Restrict HTTP access to the Subledger Accounting service to trusted networks using firewall rules or a VPN.
  • Enforce least privilege for application accounts and disable any default or unused accounts.
  • Monitor logs for suspicious activity and configure alerts for unusual authentication attempts.

Generated by OpenCVE AI on June 18, 2026 at 20:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Low-Privileged HTTP Exploit Enables Complete Compromise of Oracle Subledger Accounting

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-269
CWE-306
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Low-Privileged HTTP Exploit Enables Complete Compromise of Oracle Subledger Accounting
Weaknesses CWE-284

Tue, 16 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Description Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
First Time appeared Oracle
Oracle subledger Accounting
CPEs cpe:2.3:a:oracle:subledger_accounting:*:*:*:*:*:*:*:*
Vendors & Products Oracle
Oracle subledger Accounting
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Oracle Subledger Accounting
cve-icon MITRE

Status: PUBLISHED

Assigner: oracle

Published:

Updated: 2026-06-18T13:42:18.752Z

Reserved: 2026-05-18T15:55:10.313Z

Link: CVE-2026-46958

cve-icon Vulnrichment

Updated: 2026-06-18T13:41:21.806Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:30:05Z

Weaknesses
  • CWE-269

    Improper Privilege Management

  • CWE-284

    Improper Access Control

  • CWE-306

    Missing Authentication for Critical Function