CVE-2026-46823: Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization)
Vulnerability in the Oracle Public Sector Financials (International) product of Oracle E-Business Suite (component: Authorization). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle Public Sector Financials (International). While the vulnerability is in Oracle Public Sector Financials (International), attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Public Sector Financials (International) accessible data. CVSS 3.1 Base Score 7.7 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).
HarborGuard Analysis
HarborGuard analysisSynopsis
An authorization bypass vulnerability affects the Oracle Public Sector Financials (International) component of Oracle E-Business Suite (versions 12.2.6 through 12.2.15). The flaw is reachable over the network via HTTPS and requires only a low-privileged account, with no victim interaction needed. Successful exploitation gives an attacker unauthorized read access to critical or all data accessible to the affected component, with scope change meaning the impact can spill into other products in the same environment. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.
HarborGuard Coverage
Detection of CVE-2026-46823 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle Oracle E-Business Suite components. Any image running an affected version (12.2.6 through 12.2.15) of Oracle Public Sector Financials (International) is flagged automatically across both registry scans and CI/CD pipeline checks.
AvailableTriage is available with a CVSS 3.1 score of 7.7 (HIGH severity) applied to every matched image, weighted against each customer organization's own compliance policy to surface the finding in the appropriate team inbox. Per-environment policy controls let security and finance teams prioritize remediation queues based on their own risk thresholds.
AvailableBecause no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be triggered without manual intervention as soon as a fix version becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the Oracle E-Business Suite instance over the network via HTTPS; no local or physical access is needed.
- AuthenticationRequired
A low-privilege authenticated account is sufficient; the attacker does not need administrator or elevated credentials.
- Victim interactionNot required
No user interaction is needed; the attacker can exploit the vulnerability without involving any other account or session.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.
Blast Radius
- Reads critical data stored within Oracle Public Sector Financials (International), including financial records, budget data, and authorization-controlled documents.
- Gains complete read access to all data the affected component can reach, not just a subset.
- Due to scope change, unauthorized data access extends to other Oracle E-Business Suite products sharing the same environment, not just the directly targeted component.
- Confidentiality is fully compromised for the affected data tier; integrity and availability of stored data are not directly affected by this vulnerability.
How HarborGuard Handles This
Available on HarborGuard: this CVE is ingested from Oracle and upstream NVD feeds and matched against any customer image that includes Oracle Public Sector Financials (International) versions 12.2.6 through 12.2.15. Because Oracle has not yet published a fix version, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically when Oracle ships a patch, with auto-remediation customers receiving a rebuild, regression run, and PR with no manual steps required. In the interim, compensating controls available to consider include isolating the E-Business Suite network segment behind a strict ingress network policy that limits HTTPS access to known IP ranges, enforcing least-privilege account management to reduce the pool of credentials that could be used in an attack, and using egress filtering to limit what data paths the affected component can reach in the event of a scope-change exploitation. HarborGuard will surface any policy-relevant change to this advisory as soon as it is detected.
Metrics
- CVSS v3.1
- 7.7
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
- Oracle Corporation / Oracle Public Sector Financials (International)≤ 12.2.15
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N