HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46970Published Modified CNA oracle

CVE-2026-46970: Vulnerability in the Oracle HR Intelligence product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle HR Intelligence product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle HR Intelligence. Successful attacks of this vulnerability can result in takeover of Oracle HR Intelligence. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
7.2
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An unspecified vulnerability in the Internal Operations component of Oracle HR Intelligence (part of Oracle E-Business Suite, versions 12.2.3 through 12.2.15) is reachable over the network via HTTP. Exploitation requires a high-privileged account but no victim interaction, and successful exploitation results in full takeover of the Oracle HR Intelligence instance, including complete loss of confidentiality, integrity, and availability. No fix versions have been published by Oracle; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle Oracle E-Business Suite components. Any image carrying an affected Oracle HR Intelligence version (12.2.3 through 12.2.15) is flagged automatically.

Available
Triage

HarborGuard scores this CVE at 7.2 HIGH using the published CVSS v3.1 vector and can weight that score against each customer organization's compliance policy to determine urgency and routing. Triage alerts are directed to the appropriate team inbox within each customer org based on configured ownership rules.

Available
Patch

Because Oracle has not yet published a fix version, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, HarborGuard can surface compensating-control recommendations such as network-policy isolation of the affected service and egress filtering on HTTP traffic to the Internal Operations component.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle HR Intelligence service over the network via HTTP; there is no local or physical access requirement.

  • AuthenticationRequired

    A high-privileged account (such as an Oracle EBS administrator) is needed; low-privilege or anonymous access is not sufficient.

  • Victim interactionNot required

    No user action is needed; the attacker can exploit the vulnerability entirely on their own initiative.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other unpredictable environmental factors.

Blast Radius

  • A successful attacker reads all data accessible to the Oracle HR Intelligence application, including employee records, compensation data, and internal HR reports.
  • A successful attacker modifies or deletes persisted HR data, including payroll configurations, employee records, and audit logs.
  • A successful attacker crashes or otherwise disables the Oracle HR Intelligence service, making HR operational functions unavailable.
  • Combined control over confidentiality, integrity, and availability constitutes a full application takeover within the affected E-Business Suite instance.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46970, HarborGuard continuously re-checks the upstream Oracle advisory on every ingest cycle and will automatically make a patched-image rebuild available the moment Oracle ships a corrected version. For customers with auto-remediation enabled, that rebuild will trigger a regression-test run and open a PR against affected workloads without manual intervention. While no patch is available, HarborGuard can highlight compensating controls for affected environments: isolating the Oracle HR Intelligence service with a restrictive network policy that limits HTTP access to known, authorized source addresses; applying egress filtering to reduce lateral movement risk; and, where architecture permits, gating access to the Internal Operations component behind an additional authentication layer. Customers whose compliance policy flags HIGH-severity unpatched CVEs for escalation will receive routed alerts to the appropriate team inbox automatically.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle HR Intelligence
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References