HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46960Published Modified CNA oracle

CVE-2026-46960: Vulnerability in the Oracle Project Portfolio Analysis product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle Project Portfolio Analysis product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Project Portfolio Analysis. Successful attacks of this vulnerability can result in takeover of Oracle Project Portfolio Analysis. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
7.2
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a high-severity vulnerability in the Internal Operations component of Oracle Project Portfolio Analysis, part of Oracle E-Business Suite (versions 12.2.3 through 12.2.15). The flaw is reachable over the network via HTTP and requires an attacker to hold a high-privileged account, with no victim interaction needed. Successful exploitation gives the attacker full control over the affected Oracle Project Portfolio Analysis instance, including read, write, and disruption of service. No fix version has been published yet; HarborGuard tracks the upstream Oracle advisory and will make a patched-image rebuild available the moment a fix is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-46960 is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that package Oracle E-Business Suite components. Any image containing an affected version of Oracle Project Portfolio Analysis (12.2.3 through 12.2.15) is flagged automatically.

Available
Triage

HarborGuard surfaces this CVE with its CVSS 3.1 score of 7.2 (HIGH) and applies each customer organization's compliance policy weighting to prioritize it appropriately in their queue. Findings are routed to the team or inbox configured within each customer environment based on their alert-routing rules.

Available
Patch

Because no upstream fix has been published, HarborGuard re-evaluates the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Oracle ships a remediated version. In the interim, customers can apply compensating controls such as network-policy isolation to restrict HTTP access to the affected service, as described in the recommendation below.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Project Portfolio Analysis service over the network via HTTP; no local or physical access is needed.

  • AuthenticationRequired

    A high-privileged account within Oracle E-Business Suite is required; low-privilege or anonymous access is not sufficient to trigger this vulnerability.

  • Victim interactionNot required

    No user interaction is needed; the attacker can exploit the vulnerability directly without involving another user.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special environmental conditions, race conditions, or memory-layout knowledge.

Blast Radius

  • A successful attacker reads all data accessible to the Oracle Project Portfolio Analysis application, including project financials, resource allocations, and internal operational records.
  • The attacker can modify or delete persisted project portfolio data, corrupting plans, forecasts, and cost records stored in the application.
  • The attacker can crash or render the Oracle Project Portfolio Analysis service unavailable, disrupting project management and reporting operations.
  • Full application takeover means the attacker can pivot through any integration or trust relationship the affected instance holds with other Oracle E-Business Suite components.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-46960 is monitored continuously against the Oracle advisory feed. Because Oracle has not yet published a fix for the affected versions (12.2.3 through 12.2.15), no patched-image rebuild can be generated at this time. HarborGuard will trigger a rebuild automatically the moment an upstream fix is published, and for customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads. While waiting for an upstream patch, the following compensating controls are worth evaluating: restrict inbound HTTP access to the Oracle Project Portfolio Analysis service using Kubernetes NetworkPolicy or equivalent firewall rules, limiting exposure to only trusted internal clients; apply egress filtering to prevent lateral movement if the service is compromised; and consider disabling or gating access to the Internal Operations component if it is not required by active workloads. HarborGuard will surface a new finding event and initiate the rebuild-and-PR flow as soon as Oracle ships a fix, with no manual intervention required from the customer's team.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Project Portfolio Analysis
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References