HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46973Published Modified CNA oracle

CVE-2026-46973: Vulnerability in the Oracle Outsourced Mfg for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle Outsourced Mfg for Discrete Industries product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Outsourced Mfg for Discrete Industries. Successful attacks of this vulnerability can result in takeover of Oracle Outsourced Mfg for Discrete Industries. CVSS 3.1 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
8.8
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a high-severity vulnerability in the Internal Operations component of Oracle Outsourced Mfg for Discrete Industries, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15. It is reachable over the network via HTTP and requires only a low-privilege account, with no victim interaction needed. Successful exploitation gives an attacker full control over the affected application, including the ability to read, modify, or destroy data and disrupt service. No fix version has been published yet; HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as Oracle releases a patch.

HarborGuard Coverage

Detection

Detection of CVE-2026-46973 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that package Oracle E-Business Suite components. Coverage applies automatically without manual configuration.

Available
Triage

Triage is available with the full CVSS 3.1 score of 8.8 (HIGH) surfaced alongside each affected image finding, weighted against each customer organization's compliance policy to reflect its actual risk posture. Findings are routed to the appropriate team inbox within each customer org based on configured ownership and severity thresholds.

Available
Patch

Because no fix version has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the interim, customers can apply compensating controls such as network-policy isolation of the affected service, egress filtering, and restricting HTTP access to the Internal Operations component to known trusted accounts.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle E-Business Suite application over the network via HTTP; no local or physical access is needed.

  • AuthenticationRequired

    Any low-privilege account on the application is sufficient; no administrative or elevated credentials are required.

  • Victim interactionNot required

    The attacker does not need to trick or involve any user; exploitation is entirely attacker-driven.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or other environmental factors.

Blast Radius

  • A successful attacker reads all data accessible to the Internal Operations component, including manufacturing records, order data, and any stored credentials or session material.
  • The attacker modifies or deletes persisted records within the Oracle Outsourced Mfg for Discrete Industries application, corrupting manufacturing and supply chain data.
  • The attacker disrupts or crashes the affected application, taking the Internal Operations component offline and halting dependent business processes.
  • The combination of full confidentiality, integrity, and availability impact constitutes a complete takeover of the affected Oracle E-Business Suite component.

How HarborGuard Handles This

Available on HarborGuard: because Oracle has not yet published a fix for CVE-2026-46973, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment an upstream patch is released. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads, with no manual intervention required. While waiting for an upstream fix, customers can reduce exposure by applying network policies that restrict HTTP access to the Internal Operations endpoint to known, authenticated internal networks only, by enabling egress filtering on containers running affected E-Business Suite versions, and by auditing low-privilege accounts with access to the Internal Operations component to limit the pool of credentials an attacker could use. All findings for this CVE are visible in the HarborGuard dashboard, tagged with CVSS 8.8 HIGH, and routed according to each organization's configured compliance policy.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Outsourced Mfg for Discrete Industries
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References