HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46930Published Modified CNA oracle

CVE-2026-46930: Vulnerability in the Oracle In-Memory Cost Management for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle In-Memory Cost Management for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.12-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle In-Memory Cost Management for Discrete Industries. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle In-Memory Cost Management for Discrete Industries accessible data as well as unauthorized access to critical data or complete access to all Oracle In-Memory Cost Management for Discrete Industries accessible data. CVSS 3.1 Base Score 9.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an unauthenticated remote attack vulnerability in Oracle In-Memory Cost Management for Discrete Industries, a component of Oracle E-Business Suite (versions 12.2.12 through 12.2.15). The flaw is reachable over the network via HTTPS with no credentials required and no user interaction needed. Successful exploitation gives an attacker full read access to all data the component can reach, plus the ability to create, modify, or delete critical records. No vendor fix has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46930 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including Oracle and NVD sources. This matching covers both pulled base images and custom-built images that bundle affected Oracle E-Business Suite components.

Available
Triage

HarborGuard triage capability scores this CVE at 9.1 CRITICAL (CVSS v3.1) and can weight findings against each customer environment's compliance policy before routing alerts to the appropriate team inbox. Per-environment context, such as whether the affected component is internet-exposed, is factored into prioritization automatically.

Available
Patch

Because no vendor fix has been published, HarborGuard re-checks the Oracle advisory and upstream package feeds on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix appears. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger without manual intervention once a fix version is published.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle E-Business Suite service over the network via HTTPS; no physical or local access is assumed.

  • AuthenticationNot required

    No credentials of any privilege level are needed; the attacker can send unauthenticated requests directly to the exposed endpoint.

  • Victim interactionNot required

    No user action, click, or session is required for the attack to succeed.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable; no race conditions, special memory layout, or environmental dependencies are required.

Blast Radius

  • Reads all data accessible to the Oracle In-Memory Cost Management component, including cost records, pricing models, and any manufacturing or financial data within scope.
  • Creates, modifies, or deletes critical records across the component, allowing an attacker to corrupt cost calculations, plant false data, or erase audit trails.
  • Because the scope is uncontained within the component, any downstream system or report fed by this component's data is exposed to tampered inputs.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46930 is active across customer scan pipelines now, flagging any image that bundles an affected version of Oracle In-Memory Cost Management for Discrete Industries (12.2.12 through 12.2.15). Because Oracle has not yet published a fix version, no patched rebuild is available at this time. HarborGuard re-checks the advisory on every ingest cycle and will automatically surface a patched rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment Oracle ships a fix. In the interim, teams should consider network-policy isolation to restrict HTTPS access to the affected component to known internal IP ranges only, egress filtering to limit what the component can reach if compromised, and feature-flag or WAF-layer controls to block unauthenticated requests to the Internal Operations endpoint where the application framework supports it.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle In-Memory Cost Management for Discrete Industries
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References