CVE-2026-46959: Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations)
Vulnerability in the Oracle Subledger Accounting product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Subledger Accounting. Successful attacks of this vulnerability can result in takeover of Oracle Subledger Accounting. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unspecified vulnerability in the Internal Operations component of Oracle Subledger Accounting (part of Oracle E-Business Suite, versions 12.2.3 through 12.2.15) allows a low-privileged attacker with network access over HTTP to fully compromise the application. Exploitation requires overcoming high attack complexity conditions but does not require any victim interaction. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of Oracle Subledger Accounting. No fix version has been published yet; HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as Oracle releases one.
HarborGuard Coverage
Detection for CVE-2026-46959 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built images that bundle Oracle E-Business Suite components.
AvailableTriage is available using the CVSS 3.1 base score of 7.5 (HIGH severity), weighted against each customer environment's compliance policy to determine urgency; findings are routed to the appropriate team inbox within the customer org based on those policy settings.
AvailableBecause no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Where compliance policy permits auto-remediation, customers will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the Oracle Subledger Accounting service over the network via HTTP; no local or physical access is assumed.
- AuthenticationRequired
Any low-privilege account on the system is sufficient; the attacker does not need administrative credentials.
- Victim interactionNot required
No action from a logged-in user or administrator is needed to trigger the vulnerability.
- Attack complexityDetail
Exploitation is rated high complexity, meaning the attacker must meet specific environmental conditions or timing requirements beyond simply sending a request.
Blast Radius
- A successful attacker reads all data accessible to Oracle Subledger Accounting, including financial journals, subledger entries, and any stored credentials or session material.
- The attacker can modify or delete persisted accounting records, subledger balances, and configuration data.
- The attacker can crash or render the Oracle Subledger Accounting service unavailable, disrupting financial close and reporting workflows.
- Because the CVSS description notes full application takeover, the attacker gains persistent execution capability within the compromised application context.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively monitored with no upstream fix currently published by Oracle. On every ingest cycle, HarborGuard re-checks the Oracle advisory feed for patch availability; the moment a fix version is released, a patched-image rebuild becomes available for affected environments. In the interim, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations, such as restricting HTTP access to Oracle Subledger Accounting endpoints to known, authorized IP ranges and enforcing egress filtering on containers running affected versions (12.2.3 through 12.2.15). For customers who opt into auto-remediation, the patched rebuild, regression-test run, and PR against affected workloads will be made available automatically once Oracle publishes a fix, with no manual steps required. Where compliance policy requires human approval before merging, the PR will be queued for review.
- Oracle Corporation / Oracle Subledger Accounting≤ 12.2.15
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H