HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46933Published Modified CNA oracle

CVE-2026-46933: Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle Applications Manager product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Applications Manager. While the vulnerability is in Oracle Applications Manager, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle Applications Manager. CVSS 3.1 Base Score 9.9 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical-severity vulnerability affects the Internal Operations component of Oracle Applications Manager within Oracle E-Business Suite (versions 12.2.3 through 12.2.15). An attacker with a low-privilege account and network access over HTTP can exploit this flaw without any interaction from a victim, and the scope change means successful exploitation affects systems beyond Oracle Applications Manager itself. Successful exploitation results in full takeover of Oracle Applications Manager, including complete compromise of confidentiality, integrity, and availability. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment Oracle publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-46933 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Oracle E-Business Suite components.

Available
Triage

HarborGuard is capable of scoring this CVE at its CVSS v3.1 base score of 9.9 (Critical) and weighting it against each environment's compliance policy, then routing the finding to the appropriate team inbox within each customer organization.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Applications Manager service over a network via HTTP; local or physical access is not required.

  • AuthenticationRequired

    Any low-privilege account is sufficient; the attacker does not need administrative or elevated credentials.

  • Victim interactionNot required

    No victim action such as clicking a link or opening a file is needed for the exploit to succeed.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other environmental factors.

Blast Radius

  • Reads all data stored within Oracle Applications Manager, including internal configuration, credentials, and any sensitive operational records.
  • Modifies or destroys persisted data and configuration across Oracle Applications Manager and, due to scope change, can affect connected downstream Oracle E-Business Suite products.
  • Crashes or disables the Oracle Applications Manager service, causing full loss of availability for dependent business operations.
  • Achieves complete takeover of Oracle Applications Manager, giving the attacker persistent control over the application and a pivot point into adjacent systems.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46933, the platform monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment upstream ships a remediated version. For customers with auto-remediation enabled, that rebuild will include a regression test run and a PR opened against affected workloads. In the interim, HarborGuard can surface this finding immediately so teams can apply compensating controls: network-policy isolation to restrict HTTP access to Oracle Applications Manager to explicitly authorized source addresses, egress filtering to limit lateral movement if the component is compromised, and feature-flag or access-control gating to reduce the pool of accounts that hold even low-privilege access to the affected component. The CVSS score of 9.9 with scope change means this issue warrants urgent compensating action while waiting for an upstream patch.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Applications Manager
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References