How is CVE-2026-46947 exploited?

Network reachability (required): The attacker must reach the Oracle Advanced Outbound Telephony service over the network via HTTP; no physical or local access is required. Authentication (required): Any low-privilege account on the target system is sufficient; no administrative credentials are needed. Victim interaction (not-required): No user interaction or social engineering is needed; the attacker can exploit the vulnerability entirely on their own. Attack complexity (info): Exploit complexity is low, meaning no race conditions, special memory layout, or environmental preconditions are required for a reliable attack.

What is the impact of CVE-2026-46947?

Reads all data accessible to the Oracle Advanced Outbound Telephony component, including call records, customer contact data, and internal configuration. Modifies or deletes persisted telephony configuration, campaign data, and operational records. Crashes or renders the Oracle Advanced Outbound Telephony service unavailable, disrupting outbound call operations. The combination of full confidentiality, integrity, and availability impact at the component level constitutes a complete takeover of the affected installation.

Back to search

HIGHCVE-2026-46947Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46947: Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle Advanced Outbound Telephony product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony. Successful attacks of this vulnerability can result in takeover of Oracle Advanced Outbound Telephony. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authorization or access-control vulnerability affects the Internal Operations component of Oracle Advanced Outbound Telephony, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15. The flaw is reachable over HTTP from any network, requires only a low-privilege account, and needs no victim interaction. Successful exploitation gives an attacker full control over the affected component, enabling complete read, write, and availability impact equivalent to a system takeover. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Oracle ships a patch.

HarborGuard Coverage

Detection

Detection for CVE-2026-46947 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed ingestion, including custom-built images that bundle Oracle E-Business Suite components.

Available

Triage

Triage is available with a CVSS 3.1 base score of 8.8 (HIGH), weighted against each customer environment's compliance policy and routed to the appropriate team inbox based on configured escalation rules.

Available

Patch

Because no fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix appears. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Oracle Advanced Outbound Telephony service over the network via HTTP; no physical or local access is required.
AuthenticationRequired
Any low-privilege account on the target system is sufficient; no administrative credentials are needed.
Victim interactionNot required
No user interaction or social engineering is needed; the attacker can exploit the vulnerability entirely on their own.
Attack complexityDetail
Exploit complexity is low, meaning no race conditions, special memory layout, or environmental preconditions are required for a reliable attack.

Blast Radius

Reads all data accessible to the Oracle Advanced Outbound Telephony component, including call records, customer contact data, and internal configuration.
Modifies or deletes persisted telephony configuration, campaign data, and operational records.
Crashes or renders the Oracle Advanced Outbound Telephony service unavailable, disrupting outbound call operations.
The combination of full confidentiality, integrity, and availability impact at the component level constitutes a complete takeover of the affected installation.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46947, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once an upstream fix is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads with no manual steps required. In the interim, compensating controls worth evaluating include network-policy isolation that restricts HTTP access to the Internal Operations component to known internal IP ranges, egress filtering to limit lateral movement if the component is compromised, and review of which accounts hold low-privilege access to the E-Business Suite instance given that any such account is sufficient to exploit this vulnerability.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle Advanced Outbound Telephony
≤ 12.2.15

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified