HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46976Published Modified CNA oracle

CVE-2026-46976: Vulnerability in the Oracle Public Sector Payroll product of Oracle E-Business Suite (component: Internal Operations)

Vulnerability in the Oracle Public Sector Payroll product of Oracle E-Business Suite (component: Internal Operations). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Public Sector Payroll. Successful attacks of this vulnerability can result in takeover of Oracle Public Sector Payroll. CVSS 3.1 Base Score 7.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

Metrics

CVSS v3.1
7.2
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A high-severity vulnerability affects the Internal Operations component of Oracle Public Sector Payroll, part of Oracle E-Business Suite versions 12.2.3 through 12.2.15. The flaw is reachable over the network via HTTP and requires a high-privileged account to exploit, with no victim interaction needed. Successful exploitation gives an attacker full control over the affected Oracle Public Sector Payroll instance, impacting confidentiality, integrity, and availability. No fix version has been published yet; HarborGuard is tracking the advisory and will surface a patched-image rebuild the moment Oracle releases one.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Oracle E-Business Suite components. Any image carrying an affected version of Oracle Public Sector Payroll (12.2.3 through 12.2.15) will be flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 7.2 (High) using the published v3.1 vector and can weight that score against each customer organization's compliance policy to escalate or suppress accordingly. Triage findings are routed to the inbox configured for the affected environment, ensuring the right team sees the alert without manual filtering.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the Oracle advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, customers with compensating controls configured (such as network-policy isolation or egress filtering) will see those controls reflected in the triage context alongside this finding.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Oracle Public Sector Payroll service over the network via HTTP; local or physical access is not sufficient.

  • AuthenticationRequired

    A high-privileged account within the application is needed; low-privilege or anonymous access is not sufficient to trigger the vulnerability.

  • Victim interactionNot required

    The attacker can complete the attack without any action from a legitimate user or administrator.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other hard-to-control environmental factors.

Blast Radius

  • A successful attacker reads all data accessible to the Oracle Public Sector Payroll application, including payroll records, employee personal information, and stored credentials or session tokens.
  • The attacker can modify or delete persisted payroll data, benefit configurations, and audit records within the affected instance.
  • The attacker can crash or render the Oracle Public Sector Payroll service unavailable, disrupting payroll processing for the affected organization.
  • Because the CVSS description characterizes the outcome as a full takeover, the attacker gains persistent control of the application tier and can use that foothold to pivot to connected backend systems.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked against all images in customer registries and CI/CD pipelines, including custom images built on Oracle E-Business Suite base layers. Because Oracle has not yet published a fix for the affected versions (12.2.3 through 12.2.15), no patched-image rebuild is available at this time. HarborGuard re-evaluates the advisory on every ingest cycle and will surface a rebuild automatically once Oracle ships a patch. In the meantime, customers are encouraged to apply compensating controls: consider isolating Oracle Public Sector Payroll nodes behind strict network policy to limit HTTP reachability to only trusted internal sources, enforce egress filtering to restrict outbound connections from the application tier, and audit which accounts hold high-privileged roles within the application to minimize the pool of credentials that could be used in an attack. Where compliance policy supports it, HarborGuard can flag any image running an affected version as a policy violation, gating promotion of that image through CI/CD pipelines until the upstream fix is available.

See how HarborGuard automates this
Affected packages
  • Oracle Corporation / Oracle Public Sector Payroll
    ≤ 12.2.15
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References