HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46939Published Modified CNA oracle

CVE-2026-46939: Vulnerability in the Oracle Configure to Order product of Oracle E-Business Suite (component: Supply to Order Workbench)

Vulnerability in the Oracle Configure to Order product of Oracle E-Business Suite (component: Supply to Order Workbench). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Configure to Order. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Configure to Order accessible data as well as unauthorized access to critical data or complete access to all Oracle Configure to Order accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authorization or access-control vulnerability affects the Supply to Order Workbench component of Oracle Configure to Order, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15. The flaw is reachable over HTTP by any authenticated low-privilege user and requires no victim interaction or special conditions. Successful exploitation gives the attacker full read access to all Configure to Order data and the ability to create, modify, or delete critical records. HarborGuard is tracking the advisory for patch availability, as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection of CVE-2026-46939 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against container images in customer registries, CI/CD pipelines, and custom-built images. Any image containing an affected version of Oracle Configure to Order (12.2.3 through 12.2.15) is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS 3.1 base score of 8.1 (HIGH) and weighting it further against each customer environment's compliance policy. Findings are routed to the appropriate team inbox within each customer organization based on the affected workload and configured escalation rules.

Available
Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the Oracle advisory on every ingest cycle. The moment Oracle publishes a patched release, a rebuilt image at that version becomes available; for customers with auto-remediation enabled, a regression test run and a pull request against affected workloads are opened automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Supply to Order Workbench service over the network via HTTP; no physical or local access is required.

  • AuthenticationRequired

    A valid account with low-privilege access to the Oracle E-Business Suite environment is sufficient; no administrative credentials are needed.

  • Victim interactionNot required

    The attacker does not need to trick or involve any other user to carry out the attack.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other variable environmental factors.

Blast Radius

  • Reads all data accessible to the Configure to Order application, including order configurations, supply records, and any associated customer or product data.
  • Creates, modifies, or deletes critical records within Configure to Order, enabling manipulation of supply chain and order workbench data.
  • No availability impact is indicated; the service itself remains running, but the integrity and confidentiality of its data are fully compromised.

How HarborGuard Handles This

Available on HarborGuard: images containing Oracle Configure to Order versions 12.2.3 through 12.2.15 are flagged against this CVE as soon as the advisory is ingested, with a severity rating of HIGH (CVSS 8.1). Because Oracle has not yet published a fix, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a pull request against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy restrictions that limit HTTP access to the Supply to Order Workbench to only explicitly authorized internal roles, egress filtering to reduce lateral movement from a compromised workbench instance, and a review of which low-privilege accounts currently have access to the affected component.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Configure to Order
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References