CVE-2026-46821: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data. in Oracle Corporation Oracle Financials Common Modules
CVE-2026-46821 is a high-severity vulnerability in Oracle Financials Common Modules versions 12. 2. 3 through 12. 2. 15. It allows a low privileged attacker with network access via HTTP to compromise the Oracle Financials Common Modules, potentially leading to unauthorized access to critical data or complete access to all accessible data within these modules. The vulnerability has a CVSS 3. 1 base score of 7. 7, indicating a significant confidentiality impact without requiring user interaction. Oracle has included this vulnerability in its May 2026 Critical Security Patch Update advisory, which provides patches for affected versions.
AI Analysis
Technical Summary
CVE-2026-46821 is a vulnerability in Oracle Financials Common Modules (part of Oracle E-Business Suite) affecting versions 12.2.3 through 12.2.15. It allows a low privileged attacker with network access over HTTP to compromise the modules, resulting in unauthorized access to critical or all accessible data. The vulnerability has a CVSS 3.1 score of 7.7 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and high confidentiality impact. The vulnerability may also impact additional Oracle products due to scope change. Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which includes 35 security patches across multiple products. Oracle advises customers to apply these patches without delay and to remain on supported versions. Temporary mitigations include blocking network protocols or removing unnecessary privileges, but these do not fix the underlying issue.
Potential Impact
Successful exploitation of CVE-2026-46821 can lead to unauthorized access to critical data or complete access to all data accessible through Oracle Financials Common Modules. The vulnerability affects confidentiality but does not impact integrity or availability. Due to scope change, other Oracle products may also be significantly impacted. No known exploits in the wild have been reported, but the vulnerability is considered easily exploitable by a low privileged attacker with network access via HTTP.
Mitigation Recommendations
Oracle has released security patches for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches promptly to mitigate the risk. Until patches are applied, risk may be reduced by blocking network protocols required by the attack or by removing unnecessary privileges from users, though these are not permanent fixes and may disrupt application functionality. Oracle recommends testing any such changes in non-production environments. Customers should also ensure they are running supported product versions and have not skipped previous security updates.
CVE-2026-46821: Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Financials Common Modules. While the vulnerability is in Oracle Financials Common Modules, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Financials Common Modules accessible data. in Oracle Corporation Oracle Financials Common Modules
Description
CVE-2026-46821 is a high-severity vulnerability in Oracle Financials Common Modules versions 12. 2. 3 through 12. 2. 15. It allows a low privileged attacker with network access via HTTP to compromise the Oracle Financials Common Modules, potentially leading to unauthorized access to critical data or complete access to all accessible data within these modules. The vulnerability has a CVSS 3. 1 base score of 7. 7, indicating a significant confidentiality impact without requiring user interaction. Oracle has included this vulnerability in its May 2026 Critical Security Patch Update advisory, which provides patches for affected versions.
CVSS v3.1
Score 7.7high
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-46821 is a vulnerability in Oracle Financials Common Modules (part of Oracle E-Business Suite) affecting versions 12.2.3 through 12.2.15. It allows a low privileged attacker with network access over HTTP to compromise the modules, resulting in unauthorized access to critical or all accessible data. The vulnerability has a CVSS 3.1 score of 7.7 with vector AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, indicating network attack vector, low attack complexity, low privileges required, no user interaction, scope change, and high confidentiality impact. The vulnerability may also impact additional Oracle products due to scope change. Oracle has addressed this vulnerability in its May 2026 Critical Security Patch Update, which includes 35 security patches across multiple products. Oracle advises customers to apply these patches without delay and to remain on supported versions. Temporary mitigations include blocking network protocols or removing unnecessary privileges, but these do not fix the underlying issue.
Potential Impact
Successful exploitation of CVE-2026-46821 can lead to unauthorized access to critical data or complete access to all data accessible through Oracle Financials Common Modules. The vulnerability affects confidentiality but does not impact integrity or availability. Due to scope change, other Oracle products may also be significantly impacted. No known exploits in the wild have been reported, but the vulnerability is considered easily exploitable by a low privileged attacker with network access via HTTP.
Mitigation Recommendations
Oracle has released security patches for this vulnerability as part of the May 2026 Critical Security Patch Update. Customers are strongly advised to apply these patches promptly to mitigate the risk. Until patches are applied, risk may be reduced by blocking network protocols required by the attack or by removing unnecessary privileges from users, though these are not permanent fixes and may disrupt application functionality. Oracle recommends testing any such changes in non-production environments. Customers should also ensure they are running supported product versions and have not skipped previous security updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- oracle
- Date Reserved
- 2026-05-18T15:55:10.303Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://www.oracle.com/security-alerts/cspumay2026.html","vendor":"Oracle"}]
Threat ID: 6a18aa2de29bf47b5027be3e
Added to database: 5/28/2026, 8:48:45 PM
Last enriched: 5/28/2026, 9:19:15 PM
Last updated: 5/29/2026, 8:18:35 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.