HarborGuard / CVE
Back to search
HIGHCVE-2026-46818Published Modified CNA oracle

CVE-2026-46818: Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission)

Vulnerability in the Oracle Payments product of Oracle E-Business Suite (component: File Transmission). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Payments. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Payments accessible data as well as unauthorized access to critical data or complete access to all Oracle Payments accessible data. CVSS 3.1 Base Score 7.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is a high-severity vulnerability in the File Transmission component of Oracle Payments, part of Oracle E-Business Suite (versions 12.2.3 through 12.2.15). An unauthenticated attacker with network access over HTTPS can exploit this flaw, though exploitation requires meeting certain high-complexity conditions. Successful exploitation gives the attacker full read access to all Oracle Payments data and the ability to create, modify, or delete critical payment records. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-46818 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication from upstream feeds, including custom-built images that package Oracle E-Business Suite components. Any image containing an affected Oracle Payments version (12.2.3 through 12.2.15) is flagged automatically across customer registries and CI/CD pipelines.

Available
Triage

Triage is available with a CVSS 3.1 score of 7.4 (HIGH), surfaced alongside per-environment compliance policy weighting so teams can prioritize based on their own risk thresholds. Findings are routed to the appropriate inbox within each customer organization according to configured policy rules.

Available
Patch

Because no upstream fix has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once the upstream patch ships.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Payments service over the network via HTTPS; the service must be exposed to the attacker's network.

  • AuthenticationNot required

    No credentials or account of any kind are needed; the attacker can target the service as an unauthenticated party.

  • Victim interactionNot required

    No user action or social engineering is required; the attacker operates entirely without victim participation.

  • Attack complexityDetail

    Exploitation is rated high complexity, meaning the attacker must meet specific conditions such as race timing, non-default configuration state, or other environmental factors that are not fully under the attacker's control.

Blast Radius

  • Reads all Oracle Payments accessible data, including stored payment records, account details, and transaction history.
  • Reads critical subsets of Oracle Payments data that would not ordinarily be accessible to an unauthenticated party.
  • Creates, modifies, or deletes critical payment data, enabling fraud, record tampering, or destruction of financial records.
  • Modifies or deletes all Oracle Payments accessible data, with potential for broad disruption to payment processing operations.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46818, the platform monitors the upstream Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger immediately without manual steps. In the interim, compensating controls are worth considering: network-policy isolation to restrict HTTPS access to the Oracle Payments File Transmission endpoint to known trusted source ranges, egress filtering to limit lateral movement in the event of compromise, and feature-flag gating or disablement of the File Transmission component where business operations allow. The HIGH severity rating (CVSS 7.4) reflects the full confidentiality and integrity impact, and HarborGuard will surface a rebuild notification to affected environments as soon as upstream supply is available.

See how HarborGuard automates this

Metrics

CVSS v3.1
7.4
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • Oracle Corporation / Oracle Payments
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
References