How is CVE-2026-46938 exploited?

Network reachability (required): The attacker must reach the Oracle Cost Management service over the network via HTTP; there is no requirement for local or physical access. Authentication (required): A high-privileged account (such as an administrative user) is required; low-privilege or anonymous access is not sufficient. Victim interaction (not-required): No action from a victim user is needed; the attacker can exploit the vulnerability entirely on their own. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-46938?

A successful attacker reads all data accessible to the Oracle Cost Management application, including cost plans, pricing records, and any credentials or tokens stored in the component. The attacker can modify or delete persisted cost planning data, corrupting financial records and planning outputs. The attacker can crash or render the Oracle Cost Management service unavailable, disrupting cost planning operations. Because all three impact dimensions (confidentiality, integrity, availability) score HIGH, the practical outcome is a full takeover of the affected component.

Back to search

HIGHCVE-2026-46938Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46938: Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning)

Vulnerability in the Oracle Cost Management product of Oracle E-Business Suite (component: Cost Planning). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Cost Management. Successful attacks of this vulnerability can result in takeover of Oracle Cost Management. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unspecified vulnerability in the Cost Planning component of Oracle Cost Management, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15, is reachable over the network via HTTP. Exploitation requires a high-privileged account but no victim interaction, and the attack complexity is low. Successful exploitation gives an attacker full control over the affected component, impacting confidentiality, integrity, and availability. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched rebuild available as soon as Oracle ships a fix.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle Oracle E-Business Suite components. Any image containing an affected version of Oracle Cost Management (12.2.3 through 12.2.15) is flagged automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 7.2 HIGH and weights it against each customer organization's compliance policy to determine priority and routing. Findings are directed to the appropriate team inbox within each customer environment based on configured escalation rules.

Available

Patch

Because no upstream fix version exists yet, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available the moment Oracle publishes a fix. For customers with auto-remediation enabled, a rebuild, regression test run, and pull request against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Oracle Cost Management service over the network via HTTP; there is no requirement for local or physical access.
AuthenticationRequired
A high-privileged account (such as an administrative user) is required; low-privilege or anonymous access is not sufficient.
Victim interactionNot required
No action from a victim user is needed; the attacker can exploit the vulnerability entirely on their own.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

A successful attacker reads all data accessible to the Oracle Cost Management application, including cost plans, pricing records, and any credentials or tokens stored in the component.
The attacker can modify or delete persisted cost planning data, corrupting financial records and planning outputs.
The attacker can crash or render the Oracle Cost Management service unavailable, disrupting cost planning operations.
Because all three impact dimensions (confidentiality, integrity, availability) score HIGH, the practical outcome is a full takeover of the affected component.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46938 is active across all customer environments, matching images containing Oracle E-Business Suite Cost Management versions 12.2.3 through 12.2.15. Because Oracle has not yet published a fix, no patched rebuild is available at this time. HarborGuard re-checks the advisory on every ingest cycle; when Oracle ships a patch, a rebuild will become available immediately, and customers with auto-remediation enabled will receive a rebuilt image, a regression test run, and a pull request opened against affected workloads. In the interim, consider compensating controls such as restricting network access to the Cost Planning component via network policy, limiting the number of accounts with high privileges, and enabling egress filtering to reduce the blast radius of any exploitation.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle Cost Management
≤ 12.2.15

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified