HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46958Published Modified CNA oracle

CVE-2026-46958: Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
7.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unspecified vulnerability in the Internal Operations component of Oracle Subledger Accounting (part of Oracle E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged attacker with network access via HTTP to compromise the application. Exploitation is rated as difficult due to environmental or timing conditions, but a successful attack results in full takeover of the affected Oracle Subledger Accounting instance, impacting confidentiality, integrity, and availability. No fix version has been published yet; HarborGuard tracks the advisory and will surface a patched-image rebuild as soon as Oracle releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds, including Oracle's advisory channel, within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle E-Business Suite components. Any image running an affected version of Oracle Subledger Accounting (12.2.3 through 12.2.15) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 7.5 (HIGH) and weights it against each customer environment's compliance policy, which may elevate or suppress priority based on exposure profile and regulatory requirements. Triage findings are routed to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

Because no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, HarborGuard surfaces the affected images and supports manual compensating-control workflows, including network-policy isolation recommendations and flagging for expedited review.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Subledger Accounting service over the network via HTTP; no local or physical access is required.

  • AuthenticationRequired

    A low-privilege account on the target application is required; unauthenticated access is not sufficient to trigger this vulnerability.

  • Victim interactionNot required

    The attacker does not need any user or administrator to interact with a link, file, or prompt to complete the attack.

  • Attack complexityDetail

    Attack complexity is rated HIGH, meaning the exploit depends on specific environmental conditions, timing, or configuration factors that the attacker cannot fully control and may need to attempt repeatedly.

Blast Radius

  • A successful attacker reads all data accessible to the Oracle Subledger Accounting application, including accounting entries, journal lines, and associated financial records.
  • A successful attacker modifies or deletes persisted accounting data, including subledger journal entries and internal operational records.
  • A successful attacker crashes or renders unavailable the Oracle Subledger Accounting service, disrupting financial close and reporting workflows.
  • Because the CVE description characterizes the outcome as full application takeover, the attacker gains the ability to execute arbitrary operations within the application context.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix version for CVE-2026-46958, the platform monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, a regression-test run and a PR opened against affected workloads, the moment Oracle ships a patch. Until then, HarborGuard recommends applying compensating controls: use Kubernetes NetworkPolicy or equivalent to restrict inbound HTTP access to Oracle Subledger Accounting pods to only authorized service accounts and IP ranges; apply egress filtering to limit lateral movement if the component is compromised; and consider feature-flag gating or temporary disabling of non-essential Internal Operations endpoints if your Oracle EBS configuration supports it. Affected image versions (12.2.3 through 12.2.15) are surfaced in the HarborGuard dashboard under the HIGH severity queue, and per-environment compliance policy weighting ensures the right teams receive prioritized alerts.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Subledger Accounting
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References