CVE-2026-46934: Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Internal Operations)
Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair and Overhaul. Successful attacks of this vulnerability can result in takeover of Oracle Complex Maintenance, Repair and Overhaul. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unspecified vulnerability in the Internal Operations component of Oracle Complex Maintenance, Repair and Overhaul (part of Oracle E-Business Suite, versions 12.2.3 through 12.2.15) allows a remote attacker with a low-privilege account to exploit the system over HTTP under high-complexity conditions. Successful exploitation results in full takeover of the affected product, giving the attacker read, write, and availability control over the application. No fix version has been published yet; HarborGuard is tracking this advisory and will surface a patched-image rebuild as soon as Oracle releases one.
HarborGuard Coverage
Detection for CVE-2026-46934 is available across every HarborGuard environment - the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including internally built images layering Oracle E-Business Suite components. Any image running an affected version of Oracle Complex Maintenance, Repair and Overhaul (12.2.3 through 12.2.15) is flagged automatically.
AvailableTriage is available with CVSS 3.1 scoring at 7.5 (HIGH severity), surfaced alongside each customer org's compliance policy weighting to prioritize accordingly. Findings are routed to the appropriate team inbox within each customer environment based on configured ownership rules.
AvailableBecause no fix version has been published by Oracle, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger automatically at that point, without requiring manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected service over the network via HTTP; the vulnerability is exposed to network-accessible deployments.
- AuthenticationRequired
A low-privilege account is sufficient; the attacker must be authenticated, but no administrative or elevated permissions are needed.
- Victim interactionNot required
No user interaction is needed; the attacker can exploit the vulnerability entirely without involving another user.
- Attack complexityDetail
Attack complexity is high, meaning the attacker must meet specific environmental conditions or timing constraints beyond basic access to carry out the exploit reliably.
Blast Radius
- A successful attacker reads all data accessible to the Oracle Complex Maintenance, Repair and Overhaul application, including maintenance records, operational data, and any credentials or session material stored within.
- A successful attacker modifies or deletes persisted application data, including work orders, repair records, and configuration state.
- A successful attacker disrupts availability of the affected service, taking it offline or rendering it unresponsive to legitimate users.
- Combined impact across confidentiality, integrity, and availability constitutes a full application takeover as described in the CVE record.
How HarborGuard Handles This
Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46934, the platform monitors this advisory on every ingest cycle and will automatically trigger patched-image rebuild availability the moment an upstream fix is released. For customers with auto-remediation enabled, that event will kick off a rebuild at the patched version, a regression test run, and a PR opened against affected workloads with no manual steps required. In the interim, compensating controls are worth considering: network-policy rules that restrict HTTP access to the Internal Operations component to known internal IP ranges, egress filtering to limit lateral movement if a host is compromised, and feature-flag or module-level gating of the affected Internal Operations component where operationally feasible. Customers whose compliance policy requires action on HIGH-severity findings with no available fix can use HarborGuard's policy controls to flag affected images for review and enforce a block-on-deploy rule until the patch is available.
- Oracle Corporation / Oracle Complex Maintenance, Repair and Overhaul≤ 12.2.15
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H