HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46931Published Modified CNA oracle

CVE-2026-46931: Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle Enterprise Asset Management product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.6-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Enterprise Asset Management. Successful attacks of this vulnerability can result in takeover of Oracle Enterprise Asset Management. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a high-severity vulnerability in the Internal Operations component of Oracle Enterprise Asset Management, part of Oracle E-Business Suite (versions 12.2.6 through 12.2.15). An attacker with a low-privilege account and HTTP network access can exploit this without any victim interaction, making it straightforward to trigger remotely. Successful exploitation results in full takeover of the affected Oracle Enterprise Asset Management instance, giving the attacker read, write, and availability control over the system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-46931 is ingested from upstream Oracle and NVD advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle E-Business Suite components. Any image in a connected registry or CI pipeline running an affected version (12.2.6 through 12.2.15) is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 8.8 (HIGH) and weighting it against each customer org's compliance policy to surface it at the appropriate severity tier. Routing rules within each environment can direct the alert to the right team inbox, such as an EBS platform group or a general security queue, depending on how the org has configured its policy.

Available
Patch

No fix version has been published by Oracle for CVE-2026-46931. HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will immediately trigger a regression test run and a PR opened against affected workloads, with no manual intervention required.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Enterprise Asset Management service over the network via HTTP; there is no local or physical access requirement.

  • AuthenticationRequired

    Any low-privilege account on the system is sufficient; no admin or elevated credentials are needed to trigger the vulnerability.

  • Victim interactionNot required

    No user action is needed; the attacker can exploit this entirely on their own without involving another person.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special timing, race conditions, or environmental setup.

Blast Radius

  • A successful attacker reads all data stored in Oracle Enterprise Asset Management, including asset records, maintenance histories, and any credentials or session tokens held by the application.
  • The attacker can write to or modify persisted asset management data, including work orders, asset configurations, and operational records.
  • The attacker can crash or render the Oracle Enterprise Asset Management service unavailable, disrupting maintenance and operations workflows that depend on it.
  • Because the CVSS describes a full system takeover, the attacker gains the equivalent of application-level control, enabling persistent access and lateral movement within the E-Business Suite environment.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored with no fix currently published by Oracle. HarborGuard re-checks the upstream Oracle advisory and NVD feed on every ingest cycle so that the moment a patched version is released, a rebuilt image at that fix version becomes available without delay. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation rules can restrict HTTP access to Oracle EAM to only authorized internal subnets, and egress filtering can limit what the application process can reach if compromised. For customers with auto-remediation enabled, once Oracle ships a fix, the full flow kicks in automatically: image rebuild, regression test run, and a PR opened against affected workloads, with a typical median time from CVE fix publication to merged patch PR of around 90 minutes for high-severity issues in environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Enterprise Asset Management
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References