HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46937Published Modified CNA oracle

CVE-2026-46937: Vulnerability in the Oracle iSetup product of Oracle E-Business Suite (component: General Ledger Update Transform, Reports)

Vulnerability in the Oracle iSetup product of Oracle E-Business Suite (component: General Ledger Update Transform, Reports). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle iSetup. Successful attacks of this vulnerability can result in takeover of Oracle iSetup. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an easily exploitable authorization vulnerability in the Oracle iSetup component of Oracle E-Business Suite, specifically affecting the General Ledger Update Transform and Reports subcomponent in versions 12.2.3 through 12.2.15. An attacker with any low-privilege account and HTTP network access can reach the vulnerable component without requiring victim interaction. Successful exploitation results in full takeover of Oracle iSetup, including complete read, write, and availability impact. No fix version has been published yet; HarborGuard is tracking the advisory and will surface a patched-image rebuild the moment Oracle publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-46937 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from Oracle and upstream advisory feeds, including custom-built images that bundle Oracle E-Business Suite components. Any image containing an affected Oracle iSetup version (12.2.3 through 12.2.15) is flagged automatically during registry scans and CI/CD pipeline checks.

Available
Triage

HarborGuard scores this CVE at CVSS 8.8 HIGH and surfaces it accordingly in each customer environment's priority queue, with weighting adjustable per compliance policy. Triage findings are routed to the appropriate team inbox based on each organization's configured ownership rules, so the right engineers see the alert without manual sorting.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle ships a remediated version. In the meantime, compensating controls such as network-policy isolation restricting HTTP access to Oracle iSetup endpoints, and egress filtering for affected workloads, are surfaced as recommended mitigations within the HarborGuard findings detail view.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle iSetup service over the network via HTTP; AV:N means the vulnerable component is exposed to network-reachable attackers.

  • AuthenticationRequired

    A valid low-privilege account is sufficient; PR:L means any authenticated user, with no elevated or admin rights needed, can attempt exploitation.

  • Victim interactionNot required

    UI:N confirms the attacker does not need to trick or involve any other user to trigger the vulnerability.

  • Attack complexityDetail

    AC:L indicates the exploit is reliable and condition-free, with no race conditions or special environmental factors required to succeed.

Blast Radius

  • A successful attacker reads all data accessible to Oracle iSetup, including General Ledger configuration, financial transform definitions, and report data.
  • The attacker can modify or corrupt General Ledger Update Transform configurations and report outputs, altering financial records or business logic.
  • The attacker can make Oracle iSetup unavailable, disrupting financial reporting and ERP workflows that depend on the component.
  • Because the CVSS vector reflects full C/I/A impact, full application-level takeover of the iSetup instance is achievable from a single low-privilege account.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46937, the platform monitors the Oracle advisory feed on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a PR against affected workloads the moment a remediated version is released. While waiting for an upstream patch, HarborGuard surfaces compensating-control recommendations within the CVE findings view, including network-policy rules to restrict HTTP access to Oracle iSetup endpoints to authorized source ranges only, egress filtering to limit lateral movement from a compromised iSetup instance, and feature-flag or component-level gating to disable the General Ledger Update Transform and Reports subcomponent in environments where it is not actively required. Customers whose compliance policy flags unpatched HIGH or CRITICAL CVEs for escalation will see this finding routed to their configured security inbox automatically.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle iSetup
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References