HarborGuard / CVE
Back to search
HIGHCVE-2026-46820Published Modified CNA oracle

CVE-2026-46820: Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components)

Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data as well as unauthorized update, insert or delete access to some of Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 8.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N).

HarborGuard Analysis

HarborGuard analysis

Synopsis

An unspecified vulnerability (likely improper access control or data exposure) affects the Common Components module of Oracle Financials Common Modules within Oracle E-Business Suite versions 12.2.3 through 12.2.15. The flaw is reachable over the network via HTTP and requires only a low-privileged account, with no user interaction needed; the CVSS scope change indicator means a successful attack can spill beyond the directly targeted component. Exploitation gives an attacker full read access to all data handled by Oracle Financials Common Modules and limited write access to insert, update, or delete some of that data. No fix version has been published by Oracle; HarborGuard is tracking this advisory and will surface a patched-image rebuild the moment an upstream fix becomes available.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46820 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including internally built images that package Oracle E-Business Suite components. Any image carrying an affected version of Oracle Financials Common Modules (12.2.3 through 12.2.15) will be flagged automatically.

Available
Triage

HarborGuard scores this CVE at 8.5 HIGH using the published CVSS v3.1 vector and weights it against each customer environment's active compliance policy, which can escalate or adjust priority based on data-classification rules or regulatory context. Triage alerts are routable to the correct team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

No fix version has been published by Oracle for this CVE. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle publishes a corrected package version. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be initiated without manual intervention once an upstream fix exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle E-Business Suite HTTP endpoint over a network connection; the service must be exposed to the attacker's network segment.

  • AuthenticationRequired

    A valid low-privilege account is sufficient; no administrative or elevated rights are needed to trigger the vulnerability.

  • Victim interactionNot required

    No action from any other user or administrator is needed; the attacker can exploit the flaw entirely on their own.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and repeatable with no dependency on race conditions, special memory layouts, or other variable environmental factors.

Blast Radius

  • Reads all data accessible to Oracle Financials Common Modules, which can include financial records, transaction histories, and sensitive configuration data.
  • Inserts, updates, or deletes a subset of that data, allowing an attacker to tamper with financial records or corrupt application state.
  • The CVSS scope change means impact can extend beyond the directly compromised component, affecting other Oracle E-Business Suite products sharing the same platform or data tier.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46820, the platform monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once an upstream fix is released. For customers with auto-remediation enabled, that rebuild will be followed immediately by a regression test run and a PR opened against any affected workload definitions, with no manual steps required. In the meantime, compensating controls worth evaluating include network-policy isolation that restricts HTTP access to the Oracle Financials Common Modules endpoint to known, authorized service accounts only; egress filtering to limit lateral movement if a low-privilege account is compromised; and review of which accounts hold even minimal roles within Oracle E-Business Suite, since this vulnerability requires only a low-privilege login. HarborGuard will surface a high-severity alert the moment a patched version becomes available, keeping affected environments in the remediation queue with no manual re-scanning required.

See how HarborGuard automates this

Metrics

CVSS v3.1
8.5
Severity
HIGH
Fixed in
Affected Products
1
Affected packages
  • Oracle Corporation / Oracle Financials Common Modules
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
References