HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-46946Published Modified CNA oracle

CVE-2026-46946: Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle iSupport product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle iSupport. While the vulnerability is in Oracle iSupport, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle iSupport. CVSS 3.1 Base Score 9.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A critical-severity vulnerability affects the Internal Operations component of Oracle iSupport, part of Oracle E-Business Suite (versions 12.2.3 through 12.2.15). An attacker with admin-level network access over HTTP can exploit this flaw without any victim interaction, and successful exploitation results in full takeover of Oracle iSupport, with spillover impact on additional products in scope. No fix version has been published by Oracle at this time; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Oracle E-Business Suite components. Any image found running Oracle iSupport versions 12.2.3 through 12.2.15 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this finding at CVSS 9.1 (Critical) and weighting it against each customer org's compliance policy to prioritize routing. Triage alerts are delivered to the appropriate team inbox within each customer environment based on configured ownership rules.

Available
Patch

No upstream fix has been published for this CVE. HarborGuard re-checks the Oracle advisory each ingest cycle and will make a patched-image rebuild available the moment Oracle ships a fix. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle iSupport service over the network via HTTP; local or physical access is not sufficient.

  • AuthenticationRequired

    An admin or otherwise high-privileged account is needed; unauthenticated access alone is not sufficient to trigger this vulnerability.

  • Victim interactionNot required

    No user interaction is needed; the attacker can exploit this vulnerability entirely without involving another person.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other hard-to-control environmental factors.

Blast Radius

  • A successful attacker gains full control of Oracle iSupport, including the ability to read all data stored in the application such as customer records and support case contents.
  • The attacker can modify or delete persisted data across Oracle iSupport, including internal operational records and configurations.
  • The attacker can crash or otherwise disrupt the Oracle iSupport service, causing a denial of service for end users and support staff.
  • Because the CVSS scope is changed, the attacker can pivot to compromise additional Oracle E-Business Suite products running in the same environment.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against every customer image registry and CI pipeline. Because Oracle has not yet published a fix, the current capability is advisory-level: affected images running Oracle iSupport 12.2.3 through 12.2.15 are flagged at Critical severity and routed per each org's compliance policy. In the absence of a vendor patch, HarborGuard supports compensating controls by surfacing the affected workloads so teams can apply network-policy isolation (restricting HTTP access to the Internal Operations component to known admin source IPs), egress filtering to limit lateral movement if the service is compromised, and feature-flag or role-based gating to reduce the set of accounts that hold the high-privileged access required to trigger this flaw. HarborGuard re-checks the Oracle advisory each ingest cycle; the moment Oracle publishes a patched release, a rebuilt image becomes available, and for customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered automatically.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle iSupport
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
References