CVE-2026-46820 affects Oracle Financials Common Modules (part of Oracle E-Business Suite) versions 12.2.3 to 12.2.15. It is an easily exploitable vulnerability that allows a low privileged attacker with network access over HTTP to compromise the product. Successful exploitation can lead to unauthorized access to critical data or full access to all data accessible by Oracle Financials Common Modules, as well as unauthorized update, insert, or delete operations on some data. The vulnerability has a CVSS 3.1 score of 8.5, indicating high severity with significant confidentiality and integrity impacts. The vulnerability also has a scope change, potentially affecting additional Oracle products. Oracle’s May 2026 Critical Security Patch Update advisory references this vulnerability but does not explicitly confirm patch availability for this CVE in the provided content. Oracle recommends applying security patches promptly and testing any mitigations in non-production environments.

Successful exploitation of CVE-2026-46820 can result in unauthorized access to critical data within Oracle Financials Common Modules and potentially other related Oracle products. Attackers may gain complete access to all data accessible by the affected modules and can perform unauthorized update, insert, or delete operations on some data. This compromises confidentiality and integrity of the data but does not affect availability. The vulnerability is exploitable remotely over HTTP by a low privileged attacker without user interaction, increasing the risk of compromise if unpatched.

Oracle strongly recommends applying the May 2026 Critical Security Patch Update as soon as possible to address this vulnerability. Although the vendor advisory does not explicitly confirm patch availability for CVE-2026-46820, it is included in the May 2026 CSPU, which contains targeted high-priority security fixes. Until patches are applied, risk may be reduced by blocking network protocols required for exploitation or removing unnecessary privileges from users, but these are not long-term solutions and may impact functionality. Customers should test any mitigations in non-production environments. Staying on supported versions and promptly applying Oracle security patches is critical to mitigating this vulnerability.