HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46916Published Modified CNA oracle

CVE-2026-46916: Vulnerability in the Oracle Process Manufacturing Product Development product of Oracle E-Business Suite (component: Quality Management Specs)

Vulnerability in the Oracle Process Manufacturing Product Development product of Oracle E-Business Suite (component: Quality Management Specs). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Process Manufacturing Product Development. Successful attacks of this vulnerability can result in takeover of Oracle Process Manufacturing Product Development. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a high-severity vulnerability in the Quality Management Specs component of Oracle Process Manufacturing Product Development, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15. The flaw is reachable over the network via HTTP and requires only a low-privileged account, with no victim interaction needed. Successful exploitation gives an attacker full control over the affected application, including complete read, write, and availability impact, effectively a takeover. No fix version has been published yet; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment. As soon as the advisory was published, CVE-2026-46916 was ingested from upstream feeds and matched against customer images, including custom-built images containing Oracle E-Business Suite components, within minutes of publication.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 base score of 8.8 (HIGH) and weighting it against each customer organization's compliance policy to determine severity prioritization. Triage routing is available to direct alerts to the appropriate team inbox within each customer environment based on policy configuration.

Available
Patch

No upstream fix version has been published for CVE-2026-46916. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle publishes a fix. In the meantime, compensating controls such as network-policy isolation and HTTP egress filtering can be applied to reduce exposure.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the affected service over the network via HTTP; no local or physical access is required.

  • AuthenticationRequired

    Any low-privileged account with network access is sufficient; no administrative or elevated credentials are needed.

  • Victim interactionNot required

    The attack is fully attacker-driven and does not require any action from a user of the affected system.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • A successful attacker reads all data accessible to the Oracle Process Manufacturing Product Development application, including quality management specifications and associated records.
  • The attacker can write or modify persisted application data, including quality specs, batch records, and related manufacturing data.
  • The attacker can crash or otherwise disrupt the availability of the Oracle Process Manufacturing Product Development service, affecting dependent manufacturing workflows.
  • The combination of full confidentiality, integrity, and availability impact constitutes a complete application takeover for the affected component.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-46916, the platform monitors the Oracle advisory on every ingest cycle and will trigger a patched-image rebuild automatically as soon as Oracle publishes a remediated version. For customers who opt into auto-remediation, that rebuild will be followed by a regression-test run and a PR opened against affected workloads with no manual intervention required. While waiting for an upstream patch, customers can apply compensating controls through HarborGuard policy enforcement: network-policy rules that restrict HTTP access to the affected component to authorized internal sources only, egress filtering to limit lateral movement if the service is compromised, and feature-flag or access-control gating to reduce the pool of accounts that can reach the Quality Management Specs endpoint. All affected image versions (Oracle E-Business Suite 12.2.3 through 12.2.15) are flagged in scan results so that teams can prioritize isolation or upgrade planning accordingly.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Process Manufacturing Product Development
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References