HarborGuard / CVE
Back to search
CRITICALCVE-2026-46822Published Modified CNA oracle

CVE-2026-46822: Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle iAssets product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iAssets. While the vulnerability is in Oracle iAssets, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iAssets. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

HarborGuard Analysis

HarborGuard analysis

Synopsis

A critical-severity vulnerability affects the Internal Operations component of Oracle iAssets within Oracle E-Business Suite (versions 12.2.3 through 12.2.15). It is reachable over the network via HTTP and requires only a low-privileged account, with no victim interaction needed; the vulnerability carries a scope change, meaning exploitation can spill over into other products beyond iAssets itself. Successful exploitation gives an attacker full takeover of Oracle iAssets, with high impact to confidentiality, integrity, and availability. No fix versions have been published upstream; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as Oracle releases a patch.

HarborGuard Coverage

Detection

Detection for CVE-2026-46822 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Oracle E-Business Suite components.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 rating of 9.9 (Critical) and weighting it against each environment's compliance policy to determine urgency; findings can be routed to the appropriate team inbox within each customer organization based on asset ownership and policy configuration.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the meantime, customers can apply compensating controls through HarborGuard's policy engine, such as flagging affected images for network-policy isolation or blocking promotion of vulnerable image tags beyond staging environments.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle iAssets service over the network via HTTP; no local or physical access is needed.

  • AuthenticationRequired

    Any low-privileged account on the system is sufficient; no administrative or elevated credentials are required.

  • Victim interactionNot required

    No victim action such as clicking a link or opening a file is needed; the attacker can exploit this directly.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • Reads all data accessible within Oracle iAssets, including asset records, internal operational data, and any session credentials stored in the component.
  • Modifies or deletes persisted asset and operational records within Oracle iAssets, enabling data tampering or destruction.
  • Crashes or renders Oracle iAssets unavailable, disrupting business processes that depend on asset management.
  • Due to scope change, compromises additional Oracle E-Business Suite products beyond iAssets that share infrastructure or trust relationships with the affected component.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46822 is active and capable of flagging any image that includes an affected version of Oracle iAssets (12.2.3 through 12.2.15). Because Oracle has not published a fix at this time, no patched-image rebuild is yet available; HarborGuard re-evaluates the advisory on every ingest cycle and will automatically make a rebuild available the moment an upstream patch is released. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and a PR opened against affected workloads without requiring manual intervention. In the interim, recommended compensating controls include applying network policy rules to restrict HTTP access to the iAssets component to known, authorized source CIDRs only, blocking promotion of images containing affected versions past staging gates in the HarborGuard pipeline policy configuration, and enabling egress filtering on containers running the component to limit lateral movement in the event of exploitation. Where compliance policy permits, HarborGuard can surface these policy recommendations directly in the findings dashboard for affected environments.

See how HarborGuard automates this

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1
Affected packages
  • Oracle Corporation / Oracle iAssets
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References