HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46955Published Modified CNA oracle

CVE-2026-46955: Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Person)

Vulnerability in the Oracle Human Resources product of Oracle E-Business Suite (component: Person). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Human Resources. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Human Resources. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unauthenticated network-exploitable vulnerability affects the Person component of Oracle Human Resources in Oracle E-Business Suite versions 12.2.3 through 12.2.15. An attacker who can reach the application over HTTP and induce a user to interact with a crafted request can trigger the flaw without holding any account credentials, though the attack requires both victim interaction and favorable conditions to succeed. Successful exploitation results in full takeover of the Oracle Human Resources instance, giving the attacker control over confidentiality, integrity, and availability of the application. No fix version has been published by Oracle; HarborGuard is tracking the advisory and will surface a patched rebuild the moment an upstream fix becomes available.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream Oracle and NVD feeds within minutes of publication and matched against all customer images, including custom-built images that layer Oracle E-Business Suite components. Any image containing an affected version of Oracle Human Resources (12.2.3 through 12.2.15) is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 7.5 HIGH and weights it against each customer environment's compliance policy to determine urgency and routing. The resulting alert is directed to the inbox or ticketing integration configured for the affected workload's owner within that customer organization.

Available
Patch

Because Oracle has not yet published a fix version, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment upstream ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the fix is published.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Human Resources application over the network via HTTP; the service must be exposed to the attacker's network position.

  • AuthenticationNot required

    No account credentials are needed; the attacker can interact with the vulnerable endpoint as an unauthenticated user.

  • Victim interactionRequired

    A person other than the attacker must take an action (such as clicking a crafted link or visiting a malicious page) for the attack to succeed.

  • Attack complexityDetail

    Exploitation is rated high complexity, meaning the attacker depends on race conditions, specific environmental state, or other factors outside their direct control, making reliable exploitation harder to achieve.

Blast Radius

  • Reads all data stored in the Oracle Human Resources instance, including employee personal records, compensation data, and HR documents.
  • Modifies or deletes HR records, organizational data, and user configurations persisted in the application.
  • Crashes or destabilizes the Oracle Human Resources service, denying access to HR functions across the organization.
  • Achieves full application takeover, enabling the attacker to pivot further within the E-Business Suite environment.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a patch for CVE-2026-46955, the immediate focus is containment and monitoring. HarborGuard continuously re-checks the upstream Oracle advisory and NVD on every ingest cycle so that a patched-image rebuild becomes available to affected environments the moment Oracle ships a fix. For customers who opt into auto-remediation, that rebuild will be followed automatically by a regression run and a PR opened against affected workloads. While no upstream fix exists, recommended compensating controls include applying strict network-policy rules to restrict HTTP access to the Oracle Human Resources application to only authorized internal clients, enabling egress filtering to prevent the application from initiating unexpected outbound connections, and reviewing whether the Person component can be feature-flag gated or access-restricted at the application tier to reduce the surface available to unauthenticated callers. HarborGuard will surface a detection-and-rebuild notification to configured channels as soon as an upstream fix version is published.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Human Resources
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
References