HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46945Published Modified CNA oracle

CVE-2026-46945: Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical remote-code-execution class vulnerability affects the Internal Operations component of Oracle iSupport, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15. An attacker with administrative network access can reach the component over HTTP without any victim interaction and, if successful, achieves full takeover of Oracle iSupport, with impacts that spill over into additional products in the same environment due to a scope change in the CVSS rating. No fix version has been published by Oracle at this time; HarborGuard is tracking the advisory and will make a patched-image rebuild available the moment an upstream fix is released.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-46945 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that package Oracle E-Business Suite components. Any image in a connected registry or CI pipeline running an affected iSupport version (12.2.3 through 12.2.15) is flagged automatically.

Available
Triage

HarborGuard is capable of triaging this CVE at its published CVSS 3.1 score of 9.1 (Critical), weighted against each customer organization's compliance policy to determine urgency and routing. Alerts are directed to the appropriate team inbox within each customer environment based on configured ownership rules.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will follow without manual intervention once a fix becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle iSupport service over the network via HTTP; local or physical access is not sufficient.

  • AuthenticationRequired

    An administrative (high-privilege) account is needed; the attacker must already hold or obtain admin credentials before exploiting this vulnerability.

  • Victim interactionNot required

    No user action is needed; the attacker interacts directly with the service and does not need to trick any legitimate user into doing anything.

  • Attack complexityDetail

    Attack complexity is Low, meaning the exploit is reliable and imposes no special timing, race conditions, or environmental prerequisites beyond holding valid admin credentials.

Blast Radius

  • A successful attacker reads all data accessible to Oracle iSupport, including stored support tickets, internal operational records, and any credentials or session material held by the application.
  • The attacker can modify or delete persisted data within Oracle iSupport, including case records, configuration, and operational state.
  • The attacker can crash or render Oracle iSupport unavailable, disrupting support workflows that depend on the service.
  • Because the CVSS scope is changed, a successful exploit can extend compromise into other Oracle E-Business Suite products sharing the same environment, not just the iSupport component itself.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46945, the platform monitors the advisory on every ingest cycle and will trigger a patched-image rebuild the moment Oracle releases a corrected version. For customers who opt into auto-remediation, that rebuild will be followed immediately by a regression-test run and a PR opened against affected workloads, with no manual steps required. In the interim, compensating controls are available to reduce exposure: network-policy isolation can restrict HTTP access to the iSupport Internal Operations endpoint to only known administrative source addresses, egress filtering can prevent a compromised instance from reaching adjacent products and limit the scope-change impact, and where the Internal Operations component can be feature-flag gated or disabled without breaking business workflows, that option is worth evaluating. The 9.1 Critical rating and confirmed scope change make this a priority item; customers running any iSupport version between 12.2.3 and 12.2.15 in containers should treat isolation controls as urgent until Oracle ships a fix.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle iSupport
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References