How is CVE-2026-46952 exploited?

Network reachability (required): The attacker must reach the Oracle Quality service over the network via HTTP; no local or physical access is needed. Authentication (required): Any low-privilege account is sufficient; the attacker does not need administrative or elevated credentials. Victim interaction (not-required): No action from a logged-in user or administrator is needed to complete the attack. Attack complexity (info): The exploit is reliable and condition-free, with no race conditions or special environmental factors required.

What is the impact of CVE-2026-46952?

A successful attacker reads all data stored within Oracle Quality, including quality records, inspection results, and any credentials or tokens held by the application. The attacker can modify or delete persisted quality data, corrupting audit trails and production records. The attacker can crash or render Oracle Quality unavailable, disrupting any business processes that depend on it. Because the CVSS describes a full application takeover, the attacker gains the ability to pivot through Oracle Quality's internal service connections to adjacent E-Business Suite components.

Back to search

HIGHCVE-2026-46952Published 2026-06-16Modified 2026-06-16CNA oracle

CVE-2026-46952: Vulnerability in the Oracle Quality product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle Quality product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Quality. Successful attacks of this vulnerability can result in takeover of Oracle Quality. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An unspecified vulnerability in the Internal Operations component of Oracle Quality, part of Oracle E-Business Suite (versions 12.2.3 through 12.2.15), allows a low-privileged attacker to exploit the product over HTTP without any user interaction. The attack is network-accessible and requires no complex conditions, making it straightforward to attempt. Successful exploitation results in full takeover of Oracle Quality, giving the attacker control over its confidentiality, integrity, and availability. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment Oracle publishes a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-46952 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from Oracle E-Business Suite base layers. Any image running an affected Oracle Quality version (12.2.3 through 12.2.15) is flagged automatically in both registry scans and CI/CD pipeline checks.

Available

Triage

Triage is available using the CVSS 3.1 base score of 8.8 (HIGH), surfaced alongside each customer organization's compliance policy weighting to prioritize accordingly. Findings are routed to the appropriate team inbox within each customer environment based on configured ownership and severity thresholds.

Available

Patch

No fix version has been published by Oracle for this CVE. HarborGuard re-checks the upstream advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle releases a corrected version. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix is available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the Oracle Quality service over the network via HTTP; no local or physical access is needed.
AuthenticationRequired
Any low-privilege account is sufficient; the attacker does not need administrative or elevated credentials.
Victim interactionNot required
No action from a logged-in user or administrator is needed to complete the attack.
Attack complexityDetail
The exploit is reliable and condition-free, with no race conditions or special environmental factors required.

Blast Radius

A successful attacker reads all data stored within Oracle Quality, including quality records, inspection results, and any credentials or tokens held by the application.
The attacker can modify or delete persisted quality data, corrupting audit trails and production records.
The attacker can crash or render Oracle Quality unavailable, disrupting any business processes that depend on it.
Because the CVSS describes a full application takeover, the attacker gains the ability to pivot through Oracle Quality's internal service connections to adjacent E-Business Suite components.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for this CVE, HarborGuard monitors the upstream Oracle advisory on every ingest cycle and will surface a patched-image rebuild the moment a corrected version is released. In the interim, customers can apply compensating controls through HarborGuard's policy engine: network-policy rules can be used to restrict HTTP access to Oracle Quality to only known, authorized source IP ranges; egress filtering can limit the application's outbound connections to reduce lateral movement risk if the component is compromised. Where auto-remediation is enabled, the full rebuild, regression test run, and PR workflow will trigger automatically against affected workloads as soon as the upstream fix is available, with no manual steps required.

See how HarborGuard automates this

Affected packages

Oracle Corporation / Oracle Quality
≤ 12.2.15

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Oracle Advisory

Metrics

Get notified