CVE-2026-46935: Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Internal Operations)
Vulnerability in the Oracle Complex Maintenance, Repair and Overhaul product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Complex Maintenance, Repair and Overhaul. Successful attacks of this vulnerability can result in takeover of Oracle Complex Maintenance, Repair and Overhaul. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unspecified vulnerability in the Internal Operations component of Oracle Complex Maintenance, Repair and Overhaul (part of Oracle E-Business Suite, versions 12.2.3 through 12.2.15) allows a network-adjacent attacker with a low-privilege account to fully compromise the application over HTTP. Successful exploitation gives the attacker complete control over the affected instance, covering confidentiality, integrity, and availability. No fix version has been published by Oracle; HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as upstream ships a fix.
HarborGuard Coverage
Detection of CVE-2026-46935 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images layered on Oracle E-Business Suite base images.
AvailableTriage is available with CVSS 3.1 score 7.5 (HIGH severity) applied automatically, weighted further by each customer organization's compliance policy to determine urgency and routing. Findings are dispatched to the appropriate team inbox within each customer org based on image ownership and policy configuration.
AvailableBecause no fix version has been published for CVE-2026-46935, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle publishes an upstream fix. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle Complex Maintenance, Repair and Overhaul HTTP service over the network (AV:N); internet- or intranet-exposed deployments are in scope.
- AuthenticationRequired
A low-privilege account on the application is sufficient; unauthenticated access alone does not trigger this vulnerability (PR:L).
- Victim interactionNot required
No user action or social-engineering step is needed; the attacker operates independently of any victim (UI:N).
- Attack complexityDetail
Exploitation is rated high complexity (AC:H), meaning the attacker must meet specific conditions such as race timing, a particular configuration state, or other environmental factors that are not guaranteed on every attempt.
Blast Radius
- A successful attacker reads all data accessible to the compromised Oracle CMRO instance, including maintenance records, work orders, and any credentials or session tokens stored within the application.
- The attacker can modify or delete persisted data such as repair orders, overhaul schedules, and inventory records, corrupting operational integrity.
- The attacker can crash or otherwise render the Oracle CMRO service unavailable, disrupting maintenance and repair workflows that depend on it.
- Full application takeover means the attacker can also pivot to other systems reachable from the CMRO service account or application tier.
How HarborGuard Handles This
Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46935, the platform monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment an upstream fix is released. In the interim, customers can apply compensating controls supported by HarborGuard policy tooling: network-policy isolation to restrict HTTP access to the CMRO component to authorized internal subnets only, egress filtering to limit outbound connections from the application tier, and flagging of any image running an affected version (12.2.3 through 12.2.15) for expedited review in the compliance dashboard. Where auto-remediation is enabled, the full rebuild, regression test, and PR flow will activate without manual intervention as soon as Oracle ships the fix.
- Oracle Corporation / Oracle Complex Maintenance, Repair and Overhaul≤ 12.2.15
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H