How is CVE-2026-46817 exploited?

Network reachability (required): The attacker must reach the Oracle Payments File Transmission component over the network via HTTP; any internet- or intranet-exposed instance is in scope. Authentication (not-required): No credentials of any kind are needed; the vulnerability is exploitable by a completely unauthenticated attacker. Victim interaction (not-required): No action by any user or administrator of the target system is required to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or environmental factors.

What is the impact of CVE-2026-46817?

A successful attacker reads all data processed by Oracle Payments, including payment records, file transmission contents, and stored credentials or tokens. The attacker modifies or deletes payment files, transaction records, and configuration data persisted by the Oracle Payments component. The attacker crashes or renders unavailable the Oracle Payments service, disrupting financial transaction processing for the affected environment. Full system takeover means the attacker can pivot to other components of the Oracle E-Business Suite installation that share infrastructure with the compromised Payments service.

Back to search

CRITICALCVE-2026-46817Published 2026-05-28Modified 2026-05-29CNA oracle

CVE-2026-46817: Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission)

Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Payments. Successful attacks of this vulnerability can result in takeover of Oracle Payments. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

HarborGuard Analysis

HarborGuard analysis

Synopsis

A critical unauthenticated remote compromise vulnerability exists in the File Transmission component of Oracle Payments, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15. The flaw is reachable over HTTP from the network with no credentials required and no user interaction needed, making it trivially exploitable against any exposed instance. Successful exploitation results in full takeover of Oracle Payments, giving an attacker complete control over confidentiality, integrity, and availability of the affected system. No fix versions have been published; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as Oracle ships an upstream fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-46817 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that package Oracle E-Business Suite components.

Available

Triage

Triage capability is available using the CVSS 3.1 base score of 9.8 (Critical), applied automatically to any matched image. Per-environment compliance policy weighting is available to adjust severity thresholds and route alerts to the correct team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published for CVE-2026-46817, HarborGuard re-checks the Oracle advisory on every ingest cycle. The moment Oracle publishes a patched release, a rebuilt image at that fix version becomes available automatically; for customers with auto-remediation enabled, this triggers a regression test run and a PR opened against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Oracle Payments File Transmission component over the network via HTTP; any internet- or intranet-exposed instance is in scope.
AuthenticationNot required
No credentials of any kind are needed; the vulnerability is exploitable by a completely unauthenticated attacker.
Victim interactionNot required
No action by any user or administrator of the target system is required to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special preconditions, race conditions, or environmental factors.

Blast Radius

A successful attacker reads all data processed by Oracle Payments, including payment records, file transmission contents, and stored credentials or tokens.
The attacker modifies or deletes payment files, transaction records, and configuration data persisted by the Oracle Payments component.
The attacker crashes or renders unavailable the Oracle Payments service, disrupting financial transaction processing for the affected environment.
Full system takeover means the attacker can pivot to other components of the Oracle E-Business Suite installation that share infrastructure with the compromised Payments service.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46817 is active across customer environments scanning any image that includes Oracle E-Business Suite Payments components at versions 12.2.3 through 12.2.15. Because Oracle has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released; for customers with auto-remediation enabled, that triggers a full regression test run and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy isolation to restrict HTTP access to the File Transmission endpoint to only known trusted source IPs, egress filtering to limit lateral movement potential if a host is compromised, and review of whether the File Transmission feature can be disabled or feature-flag gated in environments where it is not actively used.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

Oracle Corporation / Oracle Payments
≤ 12.2.15

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory