CVE-2026-46972: Vulnerability in the Oracle Outsourced Mfg for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations)
Vulnerability in the Oracle Outsourced Mfg for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Outsourced Mfg for Discrete Industries. Successful attacks of this vulnerability can result in takeover of Oracle Outsourced Mfg for Discrete Industries. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Metrics
- CVSS v3.1
- 8.8
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An unspecified vulnerability (classified as leading to full product takeover) affects the Internal Operations component of Oracle Outsourced Mfg for Discrete Industries, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15. The flaw is reachable over the network via HTTP and requires only a low-privileged account, with no victim interaction needed. Successful exploitation gives an attacker full control over the affected application, impacting confidentiality, integrity, and availability. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment Oracle ships an upstream fix.
HarborGuard Coverage
Detection of CVE-2026-46972 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including internally built custom images that package Oracle E-Business Suite components.
AvailableTriage is available with a CVSS 3.1 score of 8.8 (HIGH), surfaced alongside each customer organization's compliance policy weighting to reflect the actual risk level in that environment; findings are routed automatically to the inbox or team configured for high-severity issues.
AvailableBecause no fix version has been published by Oracle, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger without manual intervention once the patch is available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the affected service over the network via HTTP; no local or physical access is needed.
- AuthenticationRequired
Any low-privilege account with network access is sufficient; no administrative rights are needed.
- Victim interactionNot required
No user action or social engineering is needed; the attacker can exploit the vulnerability directly.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions or specific environmental configurations.
Blast Radius
- A successful attacker reads all data accessible to the Oracle Outsourced Mfg for Discrete Industries application, including manufacturing records, operational data, and any stored credentials or tokens.
- The attacker can modify or delete persisted application data, including production orders, supplier records, and internal operational configurations.
- The attacker can crash or otherwise deny availability of the Oracle Outsourced Mfg for Discrete Industries service to legitimate users.
- Full application takeover is achievable, meaning the attacker can pivot further into connected Oracle E-Business Suite components or backend infrastructure.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged with a CVSS 8.8 HIGH severity rating and tracked continuously against all images in customer environments that include Oracle E-Business Suite components. Because Oracle has not published a fix for versions 12.2.3 through 12.2.15, HarborGuard monitors the upstream advisory on every ingest cycle and will trigger a patched-image rebuild automatically once Oracle ships a remediation. In the meantime, compensating controls worth evaluating include network-policy isolation to restrict HTTP access to the Internal Operations component to only known, authorized source IP ranges; egress filtering to limit outbound connections from the affected service; and, where the feature can be toggled, disabling or restricting access to the Internal Operations component until a patch is available. For customers with auto-remediation enabled, the full rebuild, regression run, and PR workflow will activate without manual steps as soon as an upstream fix is published.
- Oracle Corporation / Oracle Outsourced Mfg for Discrete Industries≤ 12.2.15
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H