How is CVE-2026-46821 exploited?

Network reachability (required): The attacker must be able to reach the Oracle Financials Common Modules HTTP endpoint over a network; there is no requirement for local or physical access. Authentication (required): Any low-privilege account is sufficient; the attacker does not need administrative or elevated credentials. Victim interaction (not-required): No user action is needed; the attacker can exploit the vulnerability entirely on their own without tricking another user into doing anything. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other environmental preconditions.

What is the impact of CVE-2026-46821?

Reads the complete set of financial data accessible to Oracle Financials Common Modules, including ledger entries, transaction records, and configuration data. Because the CVSS scope is changed, an attacker can leverage the initial access to read data from other Oracle E-Business Suite products running in the same environment. Sensitive financial records and any credentials or tokens stored within the application tier become exposed to the attacker.

Back to search

HIGHCVE-2026-46821Published 2026-05-28Modified 2026-05-29CNA oracle

CVE-2026-46821: Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components)

Vulnerability in the Oracle Financials Common Modules product of Oracle E-Business Suite (component: Common Components). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

HarborGuard Analysis

HarborGuard analysis

Synopsis

An unauthorized data-disclosure vulnerability exists in the Common Components module of Oracle Financials Common Modules, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15. The flaw is reachable over HTTP by any low-privileged authenticated user with network access, requiring no victim interaction. Successful exploitation gives an attacker full read access to all data accessible within Oracle Financials Common Modules, and because the CVSS scope is changed, it can spill into other products sharing the same environment. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46821 is available across all HarborGuard environments. Within minutes of CVE publication, HarborGuard ingests records from upstream advisory feeds and matches them against every image in connected customer registries and CI/CD pipelines, including internally built images derived from Oracle E-Business Suite base layers.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.7 HIGH and weighting it against each environment's compliance policy to determine urgency. Routed findings land in the appropriate team inbox inside each customer organization based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available as soon as an upstream fix is released. In the interim, the finding remains open and visible in each affected environment's vulnerability queue.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Oracle Financials Common Modules HTTP endpoint over a network; there is no requirement for local or physical access.
AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative or elevated credentials.
Victim interactionNot required
No user action is needed; the attacker can exploit the vulnerability entirely on their own without tricking another user into doing anything.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other environmental preconditions.

Blast Radius

Reads the complete set of financial data accessible to Oracle Financials Common Modules, including ledger entries, transaction records, and configuration data.
Because the CVSS scope is changed, an attacker can leverage the initial access to read data from other Oracle E-Business Suite products running in the same environment.
Sensitive financial records and any credentials or tokens stored within the application tier become exposed to the attacker.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked with no fix version currently published by Oracle. HarborGuard monitors the Oracle advisory on every ingest cycle and will automatically surface a patched-image rebuild opportunity the moment an upstream fix version is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and open a PR against affected workloads without manual intervention. While no patch is available, customers can reduce exposure through network-policy controls that restrict HTTP access to Oracle Financials Common Modules endpoints to only authorized internal subnets, egress filtering to limit lateral movement if the component is compromised, and feature-flag or access-control reviews to ensure low-privilege accounts cannot reach sensitive Common Components endpoints unnecessarily.

See how HarborGuard automates this

CVSS v3.1: 7.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Oracle Corporation / Oracle Financials Common Modules
≤ 12.2.15

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

Oracle Advisory